Upload
others
View
13
Download
0
Embed Size (px)
Citation preview
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors LLC an SEC-registered investment advisor | copy2017 CliftonLarsonAllen LLP
Internal Control over ComplianceGreen Book
Internal Control Best Practices for Governments
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Learning Objectives
bull Explain the components and principle of internal control using the Green Book framework
bull Begin discussing how to implement the Green Book in your organization
2
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
bull The Green Book is on GAOrsquos website at wwwgaogovgreenbook
Standards for Internal Controlin the Federal Government
3
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Whatrsquos in Green Book for the Federal Governmentbull Reflects federal internal control standards required per
Federal Managersrsquo Financial Integrity Act (FMFIA) bull Serves as a base for OMB Circular A-123bull Written for government
ndash Leverages the COSO Frameworkndash Uses government terms
4
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Whatrsquos in Green Book for State and Local Governmentsbull Acceptable framework for internal control on the
state and local government level under proposed OMB Uniform Guidance for Federal Awards
bull Written for governmentndash Leverages the COSO Frameworkndash Uses government terms
5
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Uniform Guidance - sect200303 Internal Controls
The non-Federal entity must(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes regulations and the terms and conditions of the Federal award These internal controls should be in compliance with guidance in ldquoStandards for Internal Control in the Federal Governmentrdquo issued by the Comptroller General of the United States or the ldquoInternal Control Integrated Frameworkrdquo issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
(b) Comply with Federal statutes regulations and the terms and conditions of the Federal awards(c) Evaluate and monitor the non-Federal entitys compliance with statutes regulations and the terms and conditions of Federal awards(d) Take prompt action when instances of noncompliance are identified including noncompliance identified in audit findings(e) Take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal state local and tribal laws regarding privacy and obligations of confidentiality
6
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Why Do We Need a Internal Control Frameworkbull Provides standards for managementbull Provides criteria for auditors
7
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
bull ReleasedMay 14 2013
Updated COSO Framework
8
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The COSO Frameworkbull Relationship of objectives and components
ndash Direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives)
bull COSO depicts the relationship in the form of a cube
ndash The three objectives are represented by the columns
ndash The five components are represented by the rows
ndash The entityrsquos organization structure is represented by the third dimension
9
Source COSO
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
From COSO to Green Book Harmonization
COSO Green Book
10
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Standards for Internal Control
in the Federal Governmentbull Consists of 2 sections
ndash Overviewndash Standards
bull Establishesndash Definition of internal controlndash Categories of objectivesndash Components and principles of internal controlndash Requirement for effectiveness
Revised Green Book Standards for Internal Control in the Federal Government
11
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Overview Section
bull Explains fundamental concepts of internal controlbull Addresses how components principles and
attributes relate to an entityrsquos objectivesbull Discusses management evaluation of internal control
12
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Fundamental Concepts
bull What is internal control in Green Bookndash Internal control is a process effected by an entityrsquos management that
provides reasonable assurance that the objectives of an entity will be achieved
bull What is an internal control system in Green Bookndash An internal control system is a continuous built-in component of
operations effected by people that provides reasonable assurance not absolute assurance that an organizationrsquos objectives will be achieved
13
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Objectives
Components
Principles
Attributes
Relationship Between Components Principles and Attributes
14
Process vendor bills after the valid purchase and receipt of goods or services
Control Activity
Design Activities for Information System
Application Control ndash Workflow Approval
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Components and Principles
15
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Principles5 Components and 17 Principles
16
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Component Principle AttributeWorking Framework
17
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes
bull In general all components and principles are required for an effective internal control system
bull Principles and attributesndash Entity should implement relevant principles
loz If a principle is not relevant document the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
ndash Attributes are considerations that can contribute to the design implementation and operating effectiveness of principles
18
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Learning Objectives
bull Explain the components and principle of internal control using the Green Book framework
bull Begin discussing how to implement the Green Book in your organization
2
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
bull The Green Book is on GAOrsquos website at wwwgaogovgreenbook
Standards for Internal Controlin the Federal Government
3
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Whatrsquos in Green Book for the Federal Governmentbull Reflects federal internal control standards required per
Federal Managersrsquo Financial Integrity Act (FMFIA) bull Serves as a base for OMB Circular A-123bull Written for government
ndash Leverages the COSO Frameworkndash Uses government terms
4
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Whatrsquos in Green Book for State and Local Governmentsbull Acceptable framework for internal control on the
state and local government level under proposed OMB Uniform Guidance for Federal Awards
bull Written for governmentndash Leverages the COSO Frameworkndash Uses government terms
5
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Uniform Guidance - sect200303 Internal Controls
The non-Federal entity must(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes regulations and the terms and conditions of the Federal award These internal controls should be in compliance with guidance in ldquoStandards for Internal Control in the Federal Governmentrdquo issued by the Comptroller General of the United States or the ldquoInternal Control Integrated Frameworkrdquo issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
(b) Comply with Federal statutes regulations and the terms and conditions of the Federal awards(c) Evaluate and monitor the non-Federal entitys compliance with statutes regulations and the terms and conditions of Federal awards(d) Take prompt action when instances of noncompliance are identified including noncompliance identified in audit findings(e) Take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal state local and tribal laws regarding privacy and obligations of confidentiality
6
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Why Do We Need a Internal Control Frameworkbull Provides standards for managementbull Provides criteria for auditors
7
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
bull ReleasedMay 14 2013
Updated COSO Framework
8
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The COSO Frameworkbull Relationship of objectives and components
ndash Direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives)
bull COSO depicts the relationship in the form of a cube
ndash The three objectives are represented by the columns
ndash The five components are represented by the rows
ndash The entityrsquos organization structure is represented by the third dimension
9
Source COSO
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
From COSO to Green Book Harmonization
COSO Green Book
10
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Standards for Internal Control
in the Federal Governmentbull Consists of 2 sections
ndash Overviewndash Standards
bull Establishesndash Definition of internal controlndash Categories of objectivesndash Components and principles of internal controlndash Requirement for effectiveness
Revised Green Book Standards for Internal Control in the Federal Government
11
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Overview Section
bull Explains fundamental concepts of internal controlbull Addresses how components principles and
attributes relate to an entityrsquos objectivesbull Discusses management evaluation of internal control
12
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Fundamental Concepts
bull What is internal control in Green Bookndash Internal control is a process effected by an entityrsquos management that
provides reasonable assurance that the objectives of an entity will be achieved
bull What is an internal control system in Green Bookndash An internal control system is a continuous built-in component of
operations effected by people that provides reasonable assurance not absolute assurance that an organizationrsquos objectives will be achieved
13
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Objectives
Components
Principles
Attributes
Relationship Between Components Principles and Attributes
14
Process vendor bills after the valid purchase and receipt of goods or services
Control Activity
Design Activities for Information System
Application Control ndash Workflow Approval
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Components and Principles
15
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Principles5 Components and 17 Principles
16
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Component Principle AttributeWorking Framework
17
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes
bull In general all components and principles are required for an effective internal control system
bull Principles and attributesndash Entity should implement relevant principles
loz If a principle is not relevant document the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
ndash Attributes are considerations that can contribute to the design implementation and operating effectiveness of principles
18
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
bull The Green Book is on GAOrsquos website at wwwgaogovgreenbook
Standards for Internal Controlin the Federal Government
3
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Whatrsquos in Green Book for the Federal Governmentbull Reflects federal internal control standards required per
Federal Managersrsquo Financial Integrity Act (FMFIA) bull Serves as a base for OMB Circular A-123bull Written for government
ndash Leverages the COSO Frameworkndash Uses government terms
4
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Whatrsquos in Green Book for State and Local Governmentsbull Acceptable framework for internal control on the
state and local government level under proposed OMB Uniform Guidance for Federal Awards
bull Written for governmentndash Leverages the COSO Frameworkndash Uses government terms
5
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Uniform Guidance - sect200303 Internal Controls
The non-Federal entity must(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes regulations and the terms and conditions of the Federal award These internal controls should be in compliance with guidance in ldquoStandards for Internal Control in the Federal Governmentrdquo issued by the Comptroller General of the United States or the ldquoInternal Control Integrated Frameworkrdquo issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
(b) Comply with Federal statutes regulations and the terms and conditions of the Federal awards(c) Evaluate and monitor the non-Federal entitys compliance with statutes regulations and the terms and conditions of Federal awards(d) Take prompt action when instances of noncompliance are identified including noncompliance identified in audit findings(e) Take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal state local and tribal laws regarding privacy and obligations of confidentiality
6
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Why Do We Need a Internal Control Frameworkbull Provides standards for managementbull Provides criteria for auditors
7
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
bull ReleasedMay 14 2013
Updated COSO Framework
8
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The COSO Frameworkbull Relationship of objectives and components
ndash Direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives)
bull COSO depicts the relationship in the form of a cube
ndash The three objectives are represented by the columns
ndash The five components are represented by the rows
ndash The entityrsquos organization structure is represented by the third dimension
9
Source COSO
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
From COSO to Green Book Harmonization
COSO Green Book
10
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Standards for Internal Control
in the Federal Governmentbull Consists of 2 sections
ndash Overviewndash Standards
bull Establishesndash Definition of internal controlndash Categories of objectivesndash Components and principles of internal controlndash Requirement for effectiveness
Revised Green Book Standards for Internal Control in the Federal Government
11
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Overview Section
bull Explains fundamental concepts of internal controlbull Addresses how components principles and
attributes relate to an entityrsquos objectivesbull Discusses management evaluation of internal control
12
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Fundamental Concepts
bull What is internal control in Green Bookndash Internal control is a process effected by an entityrsquos management that
provides reasonable assurance that the objectives of an entity will be achieved
bull What is an internal control system in Green Bookndash An internal control system is a continuous built-in component of
operations effected by people that provides reasonable assurance not absolute assurance that an organizationrsquos objectives will be achieved
13
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Objectives
Components
Principles
Attributes
Relationship Between Components Principles and Attributes
14
Process vendor bills after the valid purchase and receipt of goods or services
Control Activity
Design Activities for Information System
Application Control ndash Workflow Approval
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Components and Principles
15
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Principles5 Components and 17 Principles
16
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Component Principle AttributeWorking Framework
17
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes
bull In general all components and principles are required for an effective internal control system
bull Principles and attributesndash Entity should implement relevant principles
loz If a principle is not relevant document the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
ndash Attributes are considerations that can contribute to the design implementation and operating effectiveness of principles
18
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Whatrsquos in Green Book for the Federal Governmentbull Reflects federal internal control standards required per
Federal Managersrsquo Financial Integrity Act (FMFIA) bull Serves as a base for OMB Circular A-123bull Written for government
ndash Leverages the COSO Frameworkndash Uses government terms
4
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Whatrsquos in Green Book for State and Local Governmentsbull Acceptable framework for internal control on the
state and local government level under proposed OMB Uniform Guidance for Federal Awards
bull Written for governmentndash Leverages the COSO Frameworkndash Uses government terms
5
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Uniform Guidance - sect200303 Internal Controls
The non-Federal entity must(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes regulations and the terms and conditions of the Federal award These internal controls should be in compliance with guidance in ldquoStandards for Internal Control in the Federal Governmentrdquo issued by the Comptroller General of the United States or the ldquoInternal Control Integrated Frameworkrdquo issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
(b) Comply with Federal statutes regulations and the terms and conditions of the Federal awards(c) Evaluate and monitor the non-Federal entitys compliance with statutes regulations and the terms and conditions of Federal awards(d) Take prompt action when instances of noncompliance are identified including noncompliance identified in audit findings(e) Take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal state local and tribal laws regarding privacy and obligations of confidentiality
6
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Why Do We Need a Internal Control Frameworkbull Provides standards for managementbull Provides criteria for auditors
7
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
bull ReleasedMay 14 2013
Updated COSO Framework
8
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The COSO Frameworkbull Relationship of objectives and components
ndash Direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives)
bull COSO depicts the relationship in the form of a cube
ndash The three objectives are represented by the columns
ndash The five components are represented by the rows
ndash The entityrsquos organization structure is represented by the third dimension
9
Source COSO
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
From COSO to Green Book Harmonization
COSO Green Book
10
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Standards for Internal Control
in the Federal Governmentbull Consists of 2 sections
ndash Overviewndash Standards
bull Establishesndash Definition of internal controlndash Categories of objectivesndash Components and principles of internal controlndash Requirement for effectiveness
Revised Green Book Standards for Internal Control in the Federal Government
11
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Overview Section
bull Explains fundamental concepts of internal controlbull Addresses how components principles and
attributes relate to an entityrsquos objectivesbull Discusses management evaluation of internal control
12
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Fundamental Concepts
bull What is internal control in Green Bookndash Internal control is a process effected by an entityrsquos management that
provides reasonable assurance that the objectives of an entity will be achieved
bull What is an internal control system in Green Bookndash An internal control system is a continuous built-in component of
operations effected by people that provides reasonable assurance not absolute assurance that an organizationrsquos objectives will be achieved
13
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Objectives
Components
Principles
Attributes
Relationship Between Components Principles and Attributes
14
Process vendor bills after the valid purchase and receipt of goods or services
Control Activity
Design Activities for Information System
Application Control ndash Workflow Approval
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Components and Principles
15
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Principles5 Components and 17 Principles
16
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Component Principle AttributeWorking Framework
17
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes
bull In general all components and principles are required for an effective internal control system
bull Principles and attributesndash Entity should implement relevant principles
loz If a principle is not relevant document the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
ndash Attributes are considerations that can contribute to the design implementation and operating effectiveness of principles
18
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Whatrsquos in Green Book for State and Local Governmentsbull Acceptable framework for internal control on the
state and local government level under proposed OMB Uniform Guidance for Federal Awards
bull Written for governmentndash Leverages the COSO Frameworkndash Uses government terms
5
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Uniform Guidance - sect200303 Internal Controls
The non-Federal entity must(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes regulations and the terms and conditions of the Federal award These internal controls should be in compliance with guidance in ldquoStandards for Internal Control in the Federal Governmentrdquo issued by the Comptroller General of the United States or the ldquoInternal Control Integrated Frameworkrdquo issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
(b) Comply with Federal statutes regulations and the terms and conditions of the Federal awards(c) Evaluate and monitor the non-Federal entitys compliance with statutes regulations and the terms and conditions of Federal awards(d) Take prompt action when instances of noncompliance are identified including noncompliance identified in audit findings(e) Take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal state local and tribal laws regarding privacy and obligations of confidentiality
6
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Why Do We Need a Internal Control Frameworkbull Provides standards for managementbull Provides criteria for auditors
7
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
bull ReleasedMay 14 2013
Updated COSO Framework
8
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The COSO Frameworkbull Relationship of objectives and components
ndash Direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives)
bull COSO depicts the relationship in the form of a cube
ndash The three objectives are represented by the columns
ndash The five components are represented by the rows
ndash The entityrsquos organization structure is represented by the third dimension
9
Source COSO
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
From COSO to Green Book Harmonization
COSO Green Book
10
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Standards for Internal Control
in the Federal Governmentbull Consists of 2 sections
ndash Overviewndash Standards
bull Establishesndash Definition of internal controlndash Categories of objectivesndash Components and principles of internal controlndash Requirement for effectiveness
Revised Green Book Standards for Internal Control in the Federal Government
11
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Overview Section
bull Explains fundamental concepts of internal controlbull Addresses how components principles and
attributes relate to an entityrsquos objectivesbull Discusses management evaluation of internal control
12
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Fundamental Concepts
bull What is internal control in Green Bookndash Internal control is a process effected by an entityrsquos management that
provides reasonable assurance that the objectives of an entity will be achieved
bull What is an internal control system in Green Bookndash An internal control system is a continuous built-in component of
operations effected by people that provides reasonable assurance not absolute assurance that an organizationrsquos objectives will be achieved
13
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Objectives
Components
Principles
Attributes
Relationship Between Components Principles and Attributes
14
Process vendor bills after the valid purchase and receipt of goods or services
Control Activity
Design Activities for Information System
Application Control ndash Workflow Approval
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Components and Principles
15
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Principles5 Components and 17 Principles
16
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Component Principle AttributeWorking Framework
17
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes
bull In general all components and principles are required for an effective internal control system
bull Principles and attributesndash Entity should implement relevant principles
loz If a principle is not relevant document the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
ndash Attributes are considerations that can contribute to the design implementation and operating effectiveness of principles
18
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Uniform Guidance - sect200303 Internal Controls
The non-Federal entity must(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes regulations and the terms and conditions of the Federal award These internal controls should be in compliance with guidance in ldquoStandards for Internal Control in the Federal Governmentrdquo issued by the Comptroller General of the United States or the ldquoInternal Control Integrated Frameworkrdquo issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
(b) Comply with Federal statutes regulations and the terms and conditions of the Federal awards(c) Evaluate and monitor the non-Federal entitys compliance with statutes regulations and the terms and conditions of Federal awards(d) Take prompt action when instances of noncompliance are identified including noncompliance identified in audit findings(e) Take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal state local and tribal laws regarding privacy and obligations of confidentiality
6
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Why Do We Need a Internal Control Frameworkbull Provides standards for managementbull Provides criteria for auditors
7
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
bull ReleasedMay 14 2013
Updated COSO Framework
8
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The COSO Frameworkbull Relationship of objectives and components
ndash Direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives)
bull COSO depicts the relationship in the form of a cube
ndash The three objectives are represented by the columns
ndash The five components are represented by the rows
ndash The entityrsquos organization structure is represented by the third dimension
9
Source COSO
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
From COSO to Green Book Harmonization
COSO Green Book
10
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Standards for Internal Control
in the Federal Governmentbull Consists of 2 sections
ndash Overviewndash Standards
bull Establishesndash Definition of internal controlndash Categories of objectivesndash Components and principles of internal controlndash Requirement for effectiveness
Revised Green Book Standards for Internal Control in the Federal Government
11
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Overview Section
bull Explains fundamental concepts of internal controlbull Addresses how components principles and
attributes relate to an entityrsquos objectivesbull Discusses management evaluation of internal control
12
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Fundamental Concepts
bull What is internal control in Green Bookndash Internal control is a process effected by an entityrsquos management that
provides reasonable assurance that the objectives of an entity will be achieved
bull What is an internal control system in Green Bookndash An internal control system is a continuous built-in component of
operations effected by people that provides reasonable assurance not absolute assurance that an organizationrsquos objectives will be achieved
13
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Objectives
Components
Principles
Attributes
Relationship Between Components Principles and Attributes
14
Process vendor bills after the valid purchase and receipt of goods or services
Control Activity
Design Activities for Information System
Application Control ndash Workflow Approval
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Components and Principles
15
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Principles5 Components and 17 Principles
16
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Component Principle AttributeWorking Framework
17
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes
bull In general all components and principles are required for an effective internal control system
bull Principles and attributesndash Entity should implement relevant principles
loz If a principle is not relevant document the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
ndash Attributes are considerations that can contribute to the design implementation and operating effectiveness of principles
18
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Why Do We Need a Internal Control Frameworkbull Provides standards for managementbull Provides criteria for auditors
7
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
bull ReleasedMay 14 2013
Updated COSO Framework
8
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The COSO Frameworkbull Relationship of objectives and components
ndash Direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives)
bull COSO depicts the relationship in the form of a cube
ndash The three objectives are represented by the columns
ndash The five components are represented by the rows
ndash The entityrsquos organization structure is represented by the third dimension
9
Source COSO
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
From COSO to Green Book Harmonization
COSO Green Book
10
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Standards for Internal Control
in the Federal Governmentbull Consists of 2 sections
ndash Overviewndash Standards
bull Establishesndash Definition of internal controlndash Categories of objectivesndash Components and principles of internal controlndash Requirement for effectiveness
Revised Green Book Standards for Internal Control in the Federal Government
11
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Overview Section
bull Explains fundamental concepts of internal controlbull Addresses how components principles and
attributes relate to an entityrsquos objectivesbull Discusses management evaluation of internal control
12
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Fundamental Concepts
bull What is internal control in Green Bookndash Internal control is a process effected by an entityrsquos management that
provides reasonable assurance that the objectives of an entity will be achieved
bull What is an internal control system in Green Bookndash An internal control system is a continuous built-in component of
operations effected by people that provides reasonable assurance not absolute assurance that an organizationrsquos objectives will be achieved
13
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Objectives
Components
Principles
Attributes
Relationship Between Components Principles and Attributes
14
Process vendor bills after the valid purchase and receipt of goods or services
Control Activity
Design Activities for Information System
Application Control ndash Workflow Approval
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Components and Principles
15
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Principles5 Components and 17 Principles
16
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Component Principle AttributeWorking Framework
17
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes
bull In general all components and principles are required for an effective internal control system
bull Principles and attributesndash Entity should implement relevant principles
loz If a principle is not relevant document the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
ndash Attributes are considerations that can contribute to the design implementation and operating effectiveness of principles
18
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
bull ReleasedMay 14 2013
Updated COSO Framework
8
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The COSO Frameworkbull Relationship of objectives and components
ndash Direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives)
bull COSO depicts the relationship in the form of a cube
ndash The three objectives are represented by the columns
ndash The five components are represented by the rows
ndash The entityrsquos organization structure is represented by the third dimension
9
Source COSO
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
From COSO to Green Book Harmonization
COSO Green Book
10
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Standards for Internal Control
in the Federal Governmentbull Consists of 2 sections
ndash Overviewndash Standards
bull Establishesndash Definition of internal controlndash Categories of objectivesndash Components and principles of internal controlndash Requirement for effectiveness
Revised Green Book Standards for Internal Control in the Federal Government
11
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Overview Section
bull Explains fundamental concepts of internal controlbull Addresses how components principles and
attributes relate to an entityrsquos objectivesbull Discusses management evaluation of internal control
12
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Fundamental Concepts
bull What is internal control in Green Bookndash Internal control is a process effected by an entityrsquos management that
provides reasonable assurance that the objectives of an entity will be achieved
bull What is an internal control system in Green Bookndash An internal control system is a continuous built-in component of
operations effected by people that provides reasonable assurance not absolute assurance that an organizationrsquos objectives will be achieved
13
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Objectives
Components
Principles
Attributes
Relationship Between Components Principles and Attributes
14
Process vendor bills after the valid purchase and receipt of goods or services
Control Activity
Design Activities for Information System
Application Control ndash Workflow Approval
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Components and Principles
15
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Principles5 Components and 17 Principles
16
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Component Principle AttributeWorking Framework
17
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes
bull In general all components and principles are required for an effective internal control system
bull Principles and attributesndash Entity should implement relevant principles
loz If a principle is not relevant document the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
ndash Attributes are considerations that can contribute to the design implementation and operating effectiveness of principles
18
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The COSO Frameworkbull Relationship of objectives and components
ndash Direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives)
bull COSO depicts the relationship in the form of a cube
ndash The three objectives are represented by the columns
ndash The five components are represented by the rows
ndash The entityrsquos organization structure is represented by the third dimension
9
Source COSO
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
From COSO to Green Book Harmonization
COSO Green Book
10
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Standards for Internal Control
in the Federal Governmentbull Consists of 2 sections
ndash Overviewndash Standards
bull Establishesndash Definition of internal controlndash Categories of objectivesndash Components and principles of internal controlndash Requirement for effectiveness
Revised Green Book Standards for Internal Control in the Federal Government
11
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Overview Section
bull Explains fundamental concepts of internal controlbull Addresses how components principles and
attributes relate to an entityrsquos objectivesbull Discusses management evaluation of internal control
12
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Fundamental Concepts
bull What is internal control in Green Bookndash Internal control is a process effected by an entityrsquos management that
provides reasonable assurance that the objectives of an entity will be achieved
bull What is an internal control system in Green Bookndash An internal control system is a continuous built-in component of
operations effected by people that provides reasonable assurance not absolute assurance that an organizationrsquos objectives will be achieved
13
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Objectives
Components
Principles
Attributes
Relationship Between Components Principles and Attributes
14
Process vendor bills after the valid purchase and receipt of goods or services
Control Activity
Design Activities for Information System
Application Control ndash Workflow Approval
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Components and Principles
15
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Principles5 Components and 17 Principles
16
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Component Principle AttributeWorking Framework
17
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes
bull In general all components and principles are required for an effective internal control system
bull Principles and attributesndash Entity should implement relevant principles
loz If a principle is not relevant document the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
ndash Attributes are considerations that can contribute to the design implementation and operating effectiveness of principles
18
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
From COSO to Green Book Harmonization
COSO Green Book
10
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Standards for Internal Control
in the Federal Governmentbull Consists of 2 sections
ndash Overviewndash Standards
bull Establishesndash Definition of internal controlndash Categories of objectivesndash Components and principles of internal controlndash Requirement for effectiveness
Revised Green Book Standards for Internal Control in the Federal Government
11
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Overview Section
bull Explains fundamental concepts of internal controlbull Addresses how components principles and
attributes relate to an entityrsquos objectivesbull Discusses management evaluation of internal control
12
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Fundamental Concepts
bull What is internal control in Green Bookndash Internal control is a process effected by an entityrsquos management that
provides reasonable assurance that the objectives of an entity will be achieved
bull What is an internal control system in Green Bookndash An internal control system is a continuous built-in component of
operations effected by people that provides reasonable assurance not absolute assurance that an organizationrsquos objectives will be achieved
13
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Objectives
Components
Principles
Attributes
Relationship Between Components Principles and Attributes
14
Process vendor bills after the valid purchase and receipt of goods or services
Control Activity
Design Activities for Information System
Application Control ndash Workflow Approval
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Components and Principles
15
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Principles5 Components and 17 Principles
16
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Component Principle AttributeWorking Framework
17
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes
bull In general all components and principles are required for an effective internal control system
bull Principles and attributesndash Entity should implement relevant principles
loz If a principle is not relevant document the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
ndash Attributes are considerations that can contribute to the design implementation and operating effectiveness of principles
18
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Standards for Internal Control
in the Federal Governmentbull Consists of 2 sections
ndash Overviewndash Standards
bull Establishesndash Definition of internal controlndash Categories of objectivesndash Components and principles of internal controlndash Requirement for effectiveness
Revised Green Book Standards for Internal Control in the Federal Government
11
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Overview Section
bull Explains fundamental concepts of internal controlbull Addresses how components principles and
attributes relate to an entityrsquos objectivesbull Discusses management evaluation of internal control
12
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Fundamental Concepts
bull What is internal control in Green Bookndash Internal control is a process effected by an entityrsquos management that
provides reasonable assurance that the objectives of an entity will be achieved
bull What is an internal control system in Green Bookndash An internal control system is a continuous built-in component of
operations effected by people that provides reasonable assurance not absolute assurance that an organizationrsquos objectives will be achieved
13
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Objectives
Components
Principles
Attributes
Relationship Between Components Principles and Attributes
14
Process vendor bills after the valid purchase and receipt of goods or services
Control Activity
Design Activities for Information System
Application Control ndash Workflow Approval
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Components and Principles
15
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Principles5 Components and 17 Principles
16
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Component Principle AttributeWorking Framework
17
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes
bull In general all components and principles are required for an effective internal control system
bull Principles and attributesndash Entity should implement relevant principles
loz If a principle is not relevant document the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
ndash Attributes are considerations that can contribute to the design implementation and operating effectiveness of principles
18
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Overview Section
bull Explains fundamental concepts of internal controlbull Addresses how components principles and
attributes relate to an entityrsquos objectivesbull Discusses management evaluation of internal control
12
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Fundamental Concepts
bull What is internal control in Green Bookndash Internal control is a process effected by an entityrsquos management that
provides reasonable assurance that the objectives of an entity will be achieved
bull What is an internal control system in Green Bookndash An internal control system is a continuous built-in component of
operations effected by people that provides reasonable assurance not absolute assurance that an organizationrsquos objectives will be achieved
13
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Objectives
Components
Principles
Attributes
Relationship Between Components Principles and Attributes
14
Process vendor bills after the valid purchase and receipt of goods or services
Control Activity
Design Activities for Information System
Application Control ndash Workflow Approval
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Components and Principles
15
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Principles5 Components and 17 Principles
16
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Component Principle AttributeWorking Framework
17
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes
bull In general all components and principles are required for an effective internal control system
bull Principles and attributesndash Entity should implement relevant principles
loz If a principle is not relevant document the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
ndash Attributes are considerations that can contribute to the design implementation and operating effectiveness of principles
18
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Fundamental Concepts
bull What is internal control in Green Bookndash Internal control is a process effected by an entityrsquos management that
provides reasonable assurance that the objectives of an entity will be achieved
bull What is an internal control system in Green Bookndash An internal control system is a continuous built-in component of
operations effected by people that provides reasonable assurance not absolute assurance that an organizationrsquos objectives will be achieved
13
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Objectives
Components
Principles
Attributes
Relationship Between Components Principles and Attributes
14
Process vendor bills after the valid purchase and receipt of goods or services
Control Activity
Design Activities for Information System
Application Control ndash Workflow Approval
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Components and Principles
15
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Principles5 Components and 17 Principles
16
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Component Principle AttributeWorking Framework
17
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes
bull In general all components and principles are required for an effective internal control system
bull Principles and attributesndash Entity should implement relevant principles
loz If a principle is not relevant document the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
ndash Attributes are considerations that can contribute to the design implementation and operating effectiveness of principles
18
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Objectives
Components
Principles
Attributes
Relationship Between Components Principles and Attributes
14
Process vendor bills after the valid purchase and receipt of goods or services
Control Activity
Design Activities for Information System
Application Control ndash Workflow Approval
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Components and Principles
15
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Principles5 Components and 17 Principles
16
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Component Principle AttributeWorking Framework
17
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes
bull In general all components and principles are required for an effective internal control system
bull Principles and attributesndash Entity should implement relevant principles
loz If a principle is not relevant document the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
ndash Attributes are considerations that can contribute to the design implementation and operating effectiveness of principles
18
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Components and Principles
15
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Principles5 Components and 17 Principles
16
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Component Principle AttributeWorking Framework
17
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes
bull In general all components and principles are required for an effective internal control system
bull Principles and attributesndash Entity should implement relevant principles
loz If a principle is not relevant document the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
ndash Attributes are considerations that can contribute to the design implementation and operating effectiveness of principles
18
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Revised Green Book Principles5 Components and 17 Principles
16
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Component Principle AttributeWorking Framework
17
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes
bull In general all components and principles are required for an effective internal control system
bull Principles and attributesndash Entity should implement relevant principles
loz If a principle is not relevant document the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
ndash Attributes are considerations that can contribute to the design implementation and operating effectiveness of principles
18
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Component Principle AttributeWorking Framework
17
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes
bull In general all components and principles are required for an effective internal control system
bull Principles and attributesndash Entity should implement relevant principles
loz If a principle is not relevant document the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
ndash Attributes are considerations that can contribute to the design implementation and operating effectiveness of principles
18
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes
bull In general all components and principles are required for an effective internal control system
bull Principles and attributesndash Entity should implement relevant principles
loz If a principle is not relevant document the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
ndash Attributes are considerations that can contribute to the design implementation and operating effectiveness of principles
18
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Principles and Attributes (cont)
bull The 17 principles support the effective design implementation and operation of the associated components and represent requirements necessary to establish an effective internal control system
bull Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover or include examples of procedures that may be appropriate for an entity
19
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Management Evaluation
bull An effective internal control system requires that each of the five components arendash Effectively designed implemented and operatingndash Operating together in an integrated manner
bull Management evaluates the effect of deficiencies on the internal control system
bull A component is not effective if related principles are not effective
20
Overview
Standards
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Layout of the Green Book
21
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
5 Control Components
bull These 5 control components must be effectively designed implemented and operating and operating tougher in an integrated mannerndash Control environmentndash Risk assessmentndash Control activitiesndash Information and communicationndash Monitoring
22
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Control Environment
23
The foundation for an internal control system It provides the discipline and structure to help an entity achieve its objectives
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Assesses the risks facing the entity as it seeks to achieve its objectives This assessment provides the basis for developing appropriate risk responses
Risk Assessment
24
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system
Control Activities
25
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
The quality information management and personnel communicate and use to support the internal control system
Information amp Communication
26
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Activities management establishes and operates to assess the quality of performance over time and properly resolve the findings of audits and other reviews
Monitoring
27
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Controls Across Components
28
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements
bull If management determines a principle is not relevant management supports that determination with documentation that includes the rationale of how in the absence of that principle the associated component could be designed implemented and operated effectively
29
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Minimum Documentation Requirements (cont)Requirement Component (Reference)
Management develops and maintains documentation of its internal control system
Control Environment (309)
Management documents in policies the internal control responsibilities of the organization
Control Activities (1202)
Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues
Monitoring (1609)
Management evaluates and documents internal control issue and determines appropriate corrective actions for internal control deficiencies on a timely basis
Monitoring (1705)
Management completes and documents correctiveactions to remediate internal control deficiencies on a timely basis
Monitoring (1706)
30
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
In Practicehellip
31
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
We Findhellip
bull Management has not formally adopted an internal control framework
bull Internal controls are undermanagedndash No formal risk assessment
loz ldquoStuff happens techniquerdquoloz ldquoTrust levelrdquo is dominate risk assessment
ndash Documentation of policies and procedure is lacking or outdated
bull Auditors use frameworks for evaluating internal controlsndash Management relies on auditor recommendation as sole form of risk
assessment
bull Generally management is not well training in designing and implementing internal controls
32
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Organizing
HERE
Formally declare an internal control framework
Breakdown the organization into functions
Establish a process for evaluating risks
Create teams by function to brainstorm risks
33
Written Policy(Required)
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Incremental Progress - Analysis and Monitoring
Analyze identified risks
Align existing controls with identified risks
Design controls to mitigate high exposure risks
Develop a process to ensure the controls are operating as designed
THERE
34
Risk Assessment Spreadsheet
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required) Internal Audit
Management Audit Plan (Required)
Internal Control Policies and Procedures (Required)
Risk Assessment Spreadsheet
Internal Control Policies and Procedures (Required)
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Written Policy
35
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Other Implementation Considerations
bull Control approval process and communication strategy
bull Consider management trainings on internal controlsbull Implementation guidance
36
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Risk Assessment Spreadsheet
37
ampFampP of ampNampD ampT
The assessment template is a tool for the management of each assessable unit within an agency (see Preparing the Plan section of the Monitoring Plan Guidance) to document and evaluate the internal control system and is based on the Green Bookrsquos widely recognized internal control framework utilized by the United States federal government to develop internal control systems within its organization This template includes common control factors found in many Commonwealth agencies for the 17 principles within the five components of internal control The control factors are intended to help management consider the degree to which the system is functioning Many control factors relate to existing legislation and policies while others reflect business best practices The list of control factors is not all inclusive but is provided as a starting point Management is encouraged to add controls relevant to their entity to address the unique makeup of their entity A copy of the completed Assessment Template along with any supporting control documentation should be organized and retained electronically Organizing this information in a logical manner will provide easy access for future updates revisions and handling requests from internal or external parties such as internal or external auditors Documentation will vary by agency The amount of documentation gathered to evidence this assessment depends on an agencyrsquos size complexity of its organizational structure and the business activities it performs Actual documentation may include mission statements goals objectives organization charts policies and procedures etc When reviewing the assessment you may determine some control factors to be agency-wide These control factors would only need to be assessed and documented at the agency level and simply copied to each assessable unitrsquos assessment template For a majority of agencies it may be logical to have an Executive Level assessable unit This would capture high level control environmentrisk assessment control factors which may fall outside the perview of individual assessable unitsRating Columns When evaluating each control factor select the rating that best reflects the status at the end of the rating period If the standard is being met and the controls are effective select the green status If there is room for improvement or the standard is not being met but steps are being made towards attainment the yellow status should be selected If the standard is not being met and there are no steps currently in process toward attainment the red status should be selected If the control factor does not apply to your assessment please mark NA and explain why it is not applicable Controls Implemented Column Document the actions taken and controls implemented within your entity to address the corresponding control factor Entities are encouraged to identify and document any best practices This could include a narrative a reference to a directive a copy of a document a link to a web page etc Action ItemsAreas Needing Improvement Column Document areas within the entity that do not currently meet the identified control factor Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control system Corrective Action Plan Column it must be defined as either a deficiency significant deficiency or a material weakness by making the appropriate selection with the drop down arrow in the cell All significant deficiencies and material weaknesses must then be included in a corrective action plan in accordance with paragraph 6b(5) of Management Directive 32512 Standards of Internal Controls in Commonwealth Agencies A deficiency in internal control exists when the design or operation of a control factor does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatementserrorsnon-compliance on a timely basis A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that even if the control operates as designed the control objective would not be met A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance A material weakness is a deficiency or a combination of deficiencies in internal control such that the related overall control principle will not be met Responsible Party Column Identify a responsible party to ensure accountability of outstanding action item(s) Target Completion Date Column Indicate an estimated date for when the identified action item(s) will be completed in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable Examples Tab To assist in understanding how the five components of internal control and 17 principles are applied to your workplace presented in the third tab of this file are some representative examples specific to the Commonwealth These processes and procedures which many managers and employees are familiar with are referenced to the possible associated internal control principle Note that these examples could be relevant to more than one standardprinciple
amp8ampFamp8ampP of ampNamp8ampD ampT
ampFampP of ampNampD ampT
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
| Principle | Control Factor | ||||
| 1 | Executive Order 1980-18 Amended Code of Conduct | ||||
| 1 | Performing professional and educational reference checks prior to hiring a new employee | ||||
| 3 | Department Organization Charts | ||||
| 4 | Annual employee performance evaluations | ||||
| 7 | Dept of Healthrsquos Pandemic Influenza Response Plan | ||||
| 10 | Use of a safe or locking cabinet etc to secure cash receipts or petty cash | ||||
| 10 | User Identification and password to log into your agencyrsquos computer network | ||||
| 10 | Reconciling a petty cash checking account to the monthly bank statement | ||||
| 10 | PennDOT requiring customers to provide specific documentation (eg proof of identify automobile insurance card) prior to issuing a vehicle registration | ||||
| 10 | Dept of Agriculture Weights and Measures Division inspections of retail motor fuel dispensers to ensure accuracy for consumers | ||||
| 14 | Departmental staff meetings retreats strategic planning sessions etc |
| Internal Control Assessment Template for the Fiscal Year Ended June 30 20xx | Deficiency | ||||||||||||||||||||
| Significant Deficiency | |||||||||||||||||||||
| Material Weakness | |||||||||||||||||||||
| Agency _______________________ | Assessable Unit_____________ | Updated 07182016 | |||||||||||||||||||
| To be completed for all significant deficiencies or material weaknesses | |||||||||||||||||||||
| Control Factor Statement | Control Factor Question | NA | Controls Implemented | Action ItemsAreas Needing Improvement | Weakness Level | Corrective Action Plan | Responsible Party | Target Completion Date | |||||||||||||
| Control Environment | |||||||||||||||||||||
| Principle 1 ndash Demonstrate Commitment to Integrity and Ethical Values | |||||||||||||||||||||
| 11 | Executive management has established a ldquotone at the toprdquo that has been communicated to and is practiced by executives and management throughout the agency | Does your AgencyAssessable Unit effectively communicate its Mission Vision Goals and Objectives to all employees Where are these principles located How often are these principles reemphasized to the employees (ie annually change of administration) | |||||||||||||||||||
| 12 | Management enforces a formal code or codes of conduct communicating appropriate ethical and moral behavioral standards through policytraining and addresses acceptable operational practices and conflicts of interest Appropriate disciplinary action is taken in response to departures from such (Management Directive 2059) | Does your AgencyAssessable Unit maintain a code of conduct and comply with Management Directive 2059 How is the code of conduct communicated to employees Where is it maintained How is it enforced | |||||||||||||||||||
| Principle 2 ndash Exercise Oversight Responsibility | |||||||||||||||||||||
| 21 | Management has established an oversight body to oversee the implementation and continued monitoring of Green Book (Management Directive 32512) | Has your AgencyAssessable Unit established an oversight body to oversee the implementation and continued monitoring of Green Book If yes who is on the oversight body | |||||||||||||||||||
| 22 | The oversight body oversees managements design implementation and operation of the agencys internal control system | Does the oversight body oversee managements design implementation and operation of the internal control system How often do they meet to review and discuss the internal controls | |||||||||||||||||||
| Management takes appropriate action when controls are overridden andor when exceptions to policies and procedures occur Management reports deficiencies in internal controls to the oversight body | Does the AgencyAssessable Unit have a system in place to identify exceptions to the policiesprocedures and how are they resolved How does management report internal control deficiencies to the oversight body | ||||||||||||||||||||
| Principle 3 ndash Establish Structure Responsibility and Authority | |||||||||||||||||||||
| 31 | Management has an up-to-date organization chart which defines the lines of management authority responsibility and is shared with employees | Does your AgencyAssessable Unit document its organizational structure in an organizational chart which defines the lines of management authorityresponsibility Does each AgencyAssessable Unit have access to this organizational chart and share it with employees upon updatesrevisions | |||||||||||||||||||
| 32 | Management appropriately assigns authority and delegates responsibility to the proper personnel to deal with organizational goals and objectives | How is each employee in your AgencyAssessable Unit trained to understand their duties and authorities | |||||||||||||||||||
| 33 | Management appropriately documents its internal control system Documentation is required to demonstrate the design implementation and operating effectiveness of an entitys internal control system | How has management documented its internal controls How does management ensure the controls are implemented and operating as intended | |||||||||||||||||||
| Principle 4 ndash Demonstrate Commitment to Competence | |||||||||||||||||||||
| 41 | Management performs required personnel actions including the hiring of most qualified individuals based on skills knowledge and experience evidence of integrity and ethical behavior and performing checks on background credentials and references of new employees | When hiring new employees does your AgencyAssessable Unit ensure the most qualified candidates are selected Are references checked Are background checks performed How is this documented | |||||||||||||||||||
| 42 | Management has identified and defined the tasks required to accomplish particular jobs and fill various positions | Are meetings held with management to review its organizational needs to ensure that necessary positions are filled and additional positions are created when needed Are job descriptions maintained and reviewed annually with all employees | |||||||||||||||||||
| 43 | Employees receiveobtain information and training about internal controls as it pertains to onersquos position role and responsibilities to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system | Does each employee in the AgencyAssessable Unit receive training to maintain and improve their competence for their jobs and enable each employee to contribute effectively to maintaining an effective internal control system If yes how often does this training occur | |||||||||||||||||||
| 44 | Management utilizes methods such as cross-training strategic hiring practices detailed procedure documentation enhanced supervision etc to help mitigate the risk associated with sudden or significant changes in key personnel | Does each AgencyAssessable Unit have detailed procedures or policy to cross-train employees or transition other employees into key roles in case of sudden changes in key personnel | |||||||||||||||||||
| Principle 5 ndash Enforce Accountability | |||||||||||||||||||||
| 51 | Management enforces accountability of all individuals including all agency personnel as well as all service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | Does management enforce accountability of all individuals and service organizations by designating their internal control responsibilities including responsibilities related to compliance with laws and regulations | |||||||||||||||||||
| 52 | Job performance is periodically evaluated and reviewed with each employee Appropriate remedial action is taken when performance expectations are not met Inappropriate behavior is consistently reprimanded in a timely and direct manner regardless of the individualrsquos position or status | Does your AgencyAssessable Unit enforce accountability with respect to management staff and contractors Are performance evaluations being conducted on a timely basis to ensure job duties (ie reconciliations reviews) are being performed What remedial actions are taken when performance is not adequate or inappropriate behavior is reported | |||||||||||||||||||
| 53 | Excessive pressure on employees is evaluated to ensure they are able to fulfill their assigned responsibilities Excessive pressures are adjusted by rebalancing workloads increasing resource levels or by other methods | Is excessive pressure placed on management staff contractors etc to complete tasks andor their assigned duties If yes how do you protect against the related risks of corners being cut quality diminishing etc | |||||||||||||||||||
| Risk Assessment | |||||||||||||||||||||
| Principle 6 ndash Define Objectives and Risk Tolerances | |||||||||||||||||||||
| 61 | Agency has a defined strategic plan including a mission statement and defined goals and objectives Assessable unit goals and objectives are in concert with those of the Agency The Agency plan identifies critical success factors and risks including fraud risk related to achieving the defined objectives Measurement criteria are used to regularly assess whether agency objectives are achieved and identify new risks Management has established a process to periodically review and update strategic plans and objectives | In your AgencyAssessable Units defined strategic plan how do you specifically address critical success factors and risks related to your goals and objectives What measurement criteria do you use to continuously evaluate whether objectives are achieved and evaluate any new risks What is your process for periodically reviewing and updating the strategic plan and related objectives | |||||||||||||||||||
| 62 | Management defines risk tolerances for its defined objectives in specific and measurable terms This includes having specific measures in place to define what is a reasonable level of variation in performance in operational objectives a reasonable level of precision and accuracy for nonfinancial reporting objectives and a reasonable level of materiality for financial reporting objectives Acceptable levels of variation are documented and adhered to by each Assessable Unit | How does management define its risk tolerance for their objectives Does your AgencyAssessable Unit have a specific measure in place to define what is a reasonable level of variation in performance in operation objectives Do you have a specific measure in place to define what a reasonable level of precision and accuracy are for non-financial reporting objectives Do you have a specific measure in place to define a reasonable level of materiality to be used in making decisions regarding financial reporting objectives | |||||||||||||||||||
| Principle 7 ndash Identify Analyze and Respond to Risks | |||||||||||||||||||||
| 71 | A process (ie Strengths Weaknesses Opportunities and Threats (SWOT) analysis) exists to identify and consider the implications of internal risk factors (new personnel new information systems changes in management responsibilities new or changed educational or research programs etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of internal risk factors on objectives and plans If yes what is your process How often is the process updated | |||||||||||||||||||
| 72 | A process exists to identify and consider the implications of external risk factors (new legislation technological advancements expectations of the federal government etc) on agencyassessable unit-wide objectives and plans This process is updated at least annually | Does a process exist to identify and consider the implications of external risk factors objectives and plans How often is the process updated | |||||||||||||||||||
| 73 | Management has developed an approach for risk management that assesses the likelihood frequency and impact of each identified risk event assigns a risk category (high medium low) to each event and considers the costs versus the benefits of reducing the risk | Do you conduct a risk assessment of your business processes If so how and how often | |||||||||||||||||||
| 74 | Senior management develops and documents its plans to mitigate significant identified risks by mapping risks to control activities | Are plans developed and documented to mitigate significant identified risks Are risks mapped to specific control activities | |||||||||||||||||||
| 75 | Management periodically assesses employee attitudes towards their specific roles in the agency reviews the effectiveness of the organization structure and evaluates the appropriateness of policies and procedures | Is management open to feedback from employees and does management continually assess employee attitudes towards their roles (ie open-door policy) | |||||||||||||||||||
| 76 | Risk assessments are conducted on a regular basis Management periodically evaluates the effectiveness of its risk assessment process which includes 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | Are risk assessments conducted on a regular basis How does management periodically evaluate the effectiveness of its risk assessment process including 1) following up on control gaps andor redundancies identified through the risk assessment process taking corrective action to develop andor strengthen internal controls holding responsible parties accountable and communicating action planstatus updates to management and 2) allocating resources to those areas of risk where the combination of risk likelihood and impact will sustain the greatest negative consequences | |||||||||||||||||||
| 77 | Management has an appropriate attitude toward risk taking and proceeds with new ventures missions or operations only after carefully analyzing the risks involved and determining how they may be minimized or mitigated | How does management analyze risk before proceeding with any new venture mission or operation Is this process documented (ie minutes of meetings etc) | |||||||||||||||||||
| Principle 8 - Access Fraud Risk | |||||||||||||||||||||
| 81 | Specific antifraud policies and training have been developed periodically employees receive training on fraud awareness and appropriate actions to take when fraud is suspected Management has a fraud response plan in place and knows how to respond timely if a fraud allegation is made | Does your AgencyAssessable Unit have specific internal antifraud policies and has training been developed If yes is there a required periodic training for each employee to complete and sign off on What is managements internal fraud response plan and how does it respond timely if an internal fraud allegation is made | |||||||||||||||||||
| 82 | Management performs fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie fraudulent financial reporting misappropriation of assets corruption) Management identifies fraud risk factors (incentivepressure opportunity and attituderationalization) that often lead to fraud being committed Also management identifies other forms of misconduct that can occur such as waste and abuse The assessment considers how to remedy control deficiencies identified | How does management perform fraud risk assessments on a regular basis to identify types of fraud that may be occurring (ie review segregation of duties and cash controls to ensure that misappropriation of assets is not occurring) How does management identify fraud risk factors How does management consider other forms of misconduct such as waste and abuse | |||||||||||||||||||
| 83 | Management appropriately responds to identified fraud risk factors to mitigate the potential for fraudulent activity to occur | How does management respond to any identified fraud risk factors (ie implement compensating controls to deter fraud) How are identified fraud risk factors communicated to employees | |||||||||||||||||||
| Principle 9 ndash Identify Analyze and Respond to Change | |||||||||||||||||||||
| 91 | Management reviews risk assessments and identifies changes that need to be implemented to ensure controls will continue to operate efficiently and effectively Management forecasts potential internal and external conditions that could change in the future and communicates effectively to appropriate personnel | How does management review risk assessments and identify changes needed to ensure controls will continue to operate efficiently and effectively Does management forecast potential internal and external conditions that could change in the future and communicate these conditions to appropriate personnel | |||||||||||||||||||
| 92 | Mechanisms exist to identify prioritize and react to 1) routine events (ie turnover) 2) economic change 3) regulatory changes and 4) technological changes that impact the achievement of agencyassessable unit-wide objectives | How does your AgencyAssessable Unit identify prioritize and react to routine events economic change regulatory changes new legislation and technological changes How do you ensure that none of these changes are overlooked | |||||||||||||||||||
| 93 | Management promotes continuous improvement and solicits input and feedback on the implications of significant change | Does management promote continuous improvement and solicit input and feedback on the implications of significant change If yes how does management evaluate staff and promote continuous improvement | |||||||||||||||||||
| Control Activities | |||||||||||||||||||||
| Principle 10 ndash Design Control Activities | |||||||||||||||||||||
| 101 | Policies procedures techniques andor mechanisms are in place to enforce managements directives to achieve the entitys objectives and address related risks | Does your AgencyAssessable Unit have policies procedures techniques andor mechanisms in place to enforce managements directives to achieve objectives and address related risks | |||||||||||||||||||
| 102 | Policies and procedures address the handling of confidential or sensitive information such as social security numbers or protected health information | Does your AgencyAssessable Unit have policies and procedures in place to address the handling of confidential or sensitive information | |||||||||||||||||||
| 103 | Management has defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve agency or bureau control objectives | Has your AgencyAssessable Unit defined and appropriately assigned employee job duties roles and responsibilities to qualified personnel to achieve control objectives | |||||||||||||||||||
| 104 | The agency has established and monitors performance measures and indicators | Do you monitor performance measures | |||||||||||||||||||
| 105 | Key duties and responsibilities are divided or segregated among different people to reduce the risk of error waste or fraud For example no one person should initiate transactions reconcile balances handle assets and review reports If adequate segregation of duties is not practical management has designed compensating control activities (ie additional supervision and review) to address the entitys risk | Does your AgencyAssessable Unit have a process in place to ensure there are adequate segregation of duties If there are exceptions (ie instances where segregation of duties is not practical due to resource constraints) have compensating controls been implemented and documented to address the associated risks | |||||||||||||||||||
| 106 | Security and Data Access policies and procedures are in place to ensure timely review of user accounts and roles they are assigned within IT systems The security and data policy should include access control user provisioning etc At a minimum an annual review of roles should be performed by Management to ensure proper segregation of duties within IT systems | Has your AgencyAssessable Unit implemented IT security and data access policies and procedures to ensure timely review of user accounts and roles assigned to your IT systems Do the procedures implemented include access control user provisioning etc Are roles reviewed at least annually to ensure proper segregation of duties within your IT systems | |||||||||||||||||||
| 107 | Management designs controls activities to ensure certain transactions need appropriate levels of review based on predetermined criteria set by management in response to determined risks (ie management is concerned with contracts being awarded above $1 million all contracts over $1 million must be reviewed and signed off by Deputy Secretary) | Are dollar thresholds established to escalate transactions to a higher level of management for reviewapproval | |||||||||||||||||||
| 108 | Accounting reports and key reconciliations are completed timely (ie reconciliation of grant expenditures is prepared and reviewed purchasing card reconciliations) Management performs a diligent review and signifies approval by signature and date Unexpected operating results or unusual trends are investigated | Are accounting reports and reconciliations completed timely documented and reviewed and approved (evidenced by signatures and dates of those responsible) Are anomalies investigated | |||||||||||||||||||
| 109 | Management designs appropriate types of control activities to address risks surrounding their control objectives Management will take into consideration the following controls when designing effective control proceduresbullTop Level Reviews of performancebullManagement of Human CapitalbullControls over information processing (ie edit checks of data entered accounting for transactions in numerical sequences batch total with control accounts etc)bullPhysical control over vulnerable assetsbullAppropriate documentation (formal policies directives and manuals are properly managed and maintained) | Does management utilize the appropriate type of control activities needed to address risks | |||||||||||||||||||
| 1010 | Management designs controls at the appropriate levels in the organizational structure (entity-level bureau-level transaction-level) in response to risks identified Management will incorporate transactionalactivity controls (ie reconciliations authorizations etc) into the operational process when necessary depending on the relevance of the transaction cycle in meeting the overall bureau control objective | Does management design controls at the appropriate level in response to risks identified Has management incorporated transactionalactivity controls depending on the relevance of the transaction cycle in meeting the overall AgencyAssessable Unit control objective | |||||||||||||||||||
| 1011 | Employees understand which records they are responsible to maintain and the required retention period Records are appropriately filed and are disposed of according to the updated retention schedule | How does management ensure that employees are aware of record retention policies and that records are appropriately maintained and disposed of according to the retention schedule | |||||||||||||||||||
| 1012 | Management has a written policy in place which defines the procedures for monitoring sub-recipients 1) The agencyassessable unit documents its review of sub-recipients 2) The agencyassessable unit reviews corrective action plans of sub-recipients and follows up on past exceptions in future monitoring | Does management have a written policy in place which defines the procedures for monitoring sub-recipients Does management document its review of sub-recipients Do they review corrective action plans of sub-recipients and follow up on past exceptions in future monitoring | |||||||||||||||||||
| 1013 | Management confirms the operating effectiveness of their service providers controls Management inventories existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Management determines whether examinations audits service level agreements and related independent reports (ie Service Organization Control (SOC) 1 SOC 2 andor SOC 3 reports security assessments system certifications etc) should beare required as part of the contract with the third party service provider | Does management confirm the operating effectiveness of their service providers controls Does management inventory existing outsourced vendor relationships and assesses the impact of these outsourced services on their internal control environment Does management determine whether examinations audits service level agreements and related independent reports should beare required as part of the contract with the third party service provider | |||||||||||||||||||
| 1014 | Management obtains and reviews all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follows up on any areas of concerndeficiencies identified in the reports | Does management obtain and review all independent reports to ensure the independent report covers controls related to risks identified through vendor relationship with the Commonwealth and follow up on any areas of concerndeficiencies identified in the reports | |||||||||||||||||||
| Principle 11 ndash Design Activities for the Information System | |||||||||||||||||||||
| Access to Programs and Data | |||||||||||||||||||||
| 111 | Management designs the information system and use of the information technology by considering the requirements for the unitsagencyrsquos operational processes Management classifies information resources according to their criticality and sensitivity as they relate to the agencys objectives and risks | Does management design the information system and use of the information technology by considering the requirements for the AgencyAssessable Unitrsquos operational processes Does management classify information resources according to their criticality and sensitivity as they relate to the AgencyAssessable Units objectives and risks | |||||||||||||||||||
| 112 | Information Security PolicyUser Awareness 1) Information security policies and procedures are documented and include user security administration password management login requirements data security privacy and e-mail usage 2) Information security policies are disseminated to all users (ie online shared document repository or web portal with documents available for employee reviewaccess) | Are information security policies and procedures documented and do they include user security administration password management login requirements data security privacy and e-mail usage Are information security policies disseminated to all users | |||||||||||||||||||
| 113 | Microsoft Active Directory and other application settings are in place to control access to systems through password parameter settings Passwords are required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days User sessions are terminated after four invalid login attempts and users IDs are placed in a suspended status | Are Microsoft Active Directory and other application settings in place to control access to systems through password parameter settings Are passwords required to be a minimum of 8 characters one numeric and alpha character is required and passwords expire every 30 days Are user sessions terminated after four invalid login attempts and users IDs are placed in a suspended status | |||||||||||||||||||
| 114 | Access Administration 1) Network and application access requests for new employees are communicated through e-mail notification from the HR department to the system administrators Upon receiving notification the member of this group will grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment HR notifies the system administrators via e-mail Upon notification the system administrator suspends the userrsquos ID on the employeersquos last day After a two week period user IDs are deleted from the system 3) Administrative access to the network and applications is restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | Access Administration 1) Are network and application access requests for new employees communicated through e-mail notification from the HR department to the system administrators Upon receiving notification does the member of this group grant access based upon job responsibilities 2) When an employee separates from Commonwealth employment does HR notify the system administrators via e-mail Upon notification do the system administrator suspend the userrsquos ID on the employeersquos termination date 3) Is administrative access to the network and applications restricted to individuals in the IT group who have been appropriately authorized by management and require this level of access to perform their job function | |||||||||||||||||||
| 115 | In order to access application functionality users must authenticate through the network using a unique user ID and password (Commonwealth Single Sign-on) | In order to access application functionality do users have to authenticate through the network using a unique user ID and password | |||||||||||||||||||
| 116 | On a semiannual basis management performs an access review of all users Business managers are required to verify that access is commensurate with usersrsquo job function The Data Security group is responsible for performing all modifications to information system access | On at least a semiannual basis does management perform an access review of all users Are business managers required to verify that access is commensurate with usersrsquo job function Is the Data Security group responsible for granting changing and removing access to information systems | |||||||||||||||||||
| 117 | Super UsersPrivileged Access 1) Access to special privileges (ie Security Super) within applications is limited to personnel authorized by management 2) Administrative access to the operating systemservers is limited to authorized personnel 3) Administrative and privileged access (writeexecute) to databases is limited to authorized personnel | Super UsersPrivileged Access 1) Is access to special privileges (ie Security Super) within applications limited to personnel authorized by management 2) Is administrative access to the operating systemservers limited to authorized personnel 3) Is administrative and privileged access (writeexecute) to databases limited to authorized personnel Is super user activity logged and monitored | |||||||||||||||||||
| 118 | Physical Access 1) Access to the Data Center requires a card key andor PIN code and only individuals who need access to perform their daily job responsibilities have access Access Logs are reviewed to ensure no unauthorized personnel were admitted 2) A card key administration system is used to create and print security card keys and enter changes to cardholders and their privileges The software functions are password protected and only the administrator and designated backups have access to the system | Physical Access 1) Is access to the Data Center restricted requiring a card key andor PIN code and are only those individuals who need access to perform their daily job responsibilities able to access Are access logs reviewed 2) Is a card key administration system used to create and print security card keys and enter changes to cardholders and their privileges Are software functions password protected and do only the administrator and designated backups have access to the system | |||||||||||||||||||
| 119 | Firewalls intrusion prevention systems and spam filters are in place at the perimeter of the network to reduce the risk of unauthorized access Management periodically monitors reportslogs to identify potential unauthorized activity | Are firewalls intrusion prevention systems and spam filters in place at the perimeter of the network to reduce the risk of unauthorized access Does management periodically monitor reportslogs to identify potential unauthorized activity | |||||||||||||||||||
| Program Changes | |||||||||||||||||||||
| 1110 | Written systems and programming standards are established to outline requirements for changes to application software system patching configuration changes and emergency changes | Have written systems and programming standards been established to outline requirements for changes to application software system patching configuration changes and emergency changes | |||||||||||||||||||
| 1111 | Management authorization is requested and obtained prior to initiating an application change | Is management authorization requested and obtained prior to initiating an application change | |||||||||||||||||||
| 1112 | Application changes are tested and results of successful testing are documented prior to implementation | Are application changes tested and are results of successful testing documented prior to implementation | |||||||||||||||||||
| 1113 | Management approval is requested and obtained prior to final implementation of an application change Approval for emergency changes is documented by management | Is management approval requested and obtained prior to final implementation of an application change Is approval for emergency changes documented by management | |||||||||||||||||||
| 1114 | Administrative access required to implement system software changes into the production environment is restricted to authorized personnel who require such access to perform job duties Developers and end users do not have the administrative access required to implement system software changes into the production environment Sharedsystem user IDs do not exist ANDOR the implementation of changes is performed through the use of a scheduled job Release notices are sent to IT staff and business units as required | Is administrative access required to implement system software changes into the production environment and is this access restricted to authorized personnel who require such access to perform job duties How does management ensure that developers and end users do not have the administrative access required to implement system software changes into the production environment How does management ensure that sharedsystem user IDs do not exist Are release notices sent to IT staff and business units as required | |||||||||||||||||||
| Program Development | |||||||||||||||||||||
| 1115 | A written system development lifecycle is established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | Has a written system development lifecycle been established to outline requirements for planning designing developing testing approving and implementing new applications and upgrades to existing applications including vendor-developed software | |||||||||||||||||||
| 1116 | For all new applications or upgrades appropriate project management documentation is prepared to define project scope requirements project plans and milestones | Is appropriate project management documentation prepared for all new applications or upgrades Does this documentation define the project scope requirements project plans and milestones | |||||||||||||||||||
| 1117 | Management authorization is documented for all system implementations and upgrades For all new application development efforts a detailed design is established based on business requirements and considers all objectives including functionality and security during and after development Developers do not have access to modify final production code during and after system implementations | Is management authorization documented for all system implementations and upgrades Is a detailed design established for all new application development efforts Is the design based on business requirements and does it consider all objectives including functionality and security during and after development How does the unit ensure that developers do not have access to modify final production code during and after system implementations | |||||||||||||||||||
| 1118 | For all new or upgraded applications testing is planned and results of successful testing by IT software vendors (if applicable) and user groups are documented prior to implementation | Is testing planned for all new or upgraded applications Are results of successful testing by IT software vendors (if applicable) and user groups documented prior to implementation | |||||||||||||||||||
| 1119 | Management approval is requested and obtained prior to final implementation of a new or upgraded application Approval is documented | Is management approval requested and obtained prior to final implementation of a new or upgraded application Is approval documented | |||||||||||||||||||
| 1120 | The implementation of new and upgraded application software is documented and supporting system documentation is established and retained If data migration is performed as a result of the newupgraded application software reconciliations are performed to ensure that data migrated successfully and accurately Support for reconciliations is retained A post-implementation review for all new or upgraded application software is performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | Is the implementation of new and upgraded application software documented and is supporting system documentation established and retained If data migration is performed as a result of the newupgraded application software are reconciliations performed to ensure that data migrated successfully and accurately Is support for reconciliations retained Is a post-implementation review for all new or upgraded application software performed by IT end users and software vendors (if applicable) to ensure that the system is functioning correctly in the production environment | |||||||||||||||||||
| Computer Operations | |||||||||||||||||||||
| 1121 | Automated jobs are scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure the job scheduling application generates a visual alert Escalation procedures and emergency call lists are available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | Are automated jobs scheduled and monitored by computer operations personnel through the use of an automated scheduling tool In the event of a processing failure does the job scheduling application generates a visual alert Are escalation procedures and emergency call lists available to employees to determine who to contact in the event of a processing failure and errors are resolved and documented | |||||||||||||||||||
| 1122 | Full system backups are performed on a weeklymonthly basis In addition incremental backups of critical data are performed on a daily basis The agency performs an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | Are full system backups performed on a weeklymonthly basis In addition are incremental backups of critical data performed on a daily basis Does the AgencyAssessable Unit perform an inventory audit of backup tapes located at the offsite vendor facility (and tapes located onsite) on a semiannualannual basis | |||||||||||||||||||
| 1123 | In the event that a backup job fails or data processing performance is negatively affected a helpdesk ticket is created and computer operations personnel are responsible for investigation and documenting the resolution in the helpdesk ticket | In the event that a backup job fails or data processing performance is negatively affected is a helpdesk ticket created and are computer operations personnel responsible for investigation and documenting the resolution in the helpdesk ticket | |||||||||||||||||||
| Data Integrity | |||||||||||||||||||||
| 1124 | Management establishes restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals System analytics and exception reporting are used to ensure that all data processed are authorized | Does management establish restrictive authorization controls within its operations including establishment of controls over source documents and data entry terminals Are system analytics and exception reporting used to ensure that all data processed are authorized | |||||||||||||||||||
| 1125 | Data validation procedures are in place to ensure accuracy of data manually entered andor interfaced into the system Data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | Are data validation procedures in place to ensure accuracy of data manually entered andor interfaced into the system Do data validation procedures include reconciliations to source datasystem system edit checks and reviews of output reports | |||||||||||||||||||
| 1126 | Application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | Do application controls include validation of input data identification and resolution of rejected transactions balancing transactions and reconciliations (to source data to input file to output file) | |||||||||||||||||||
| Disaster Recovery | |||||||||||||||||||||
| 1127 | A disaster response and recovery plan has been developed and is understood by key personnel As part of developing this plan management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | Has a disaster response and recovery plan been developed and is it understood by key personnel As part of developing this plan has management identified and prioritized the criticality and sensitivity of computerized operations and supporting resources | |||||||||||||||||||
| 1128 | Management has taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | Has management taken steps to prevent and minimize potential damage and interruption through the use of data and program backup procedures including offsite storage of backup data as well as environmental controls staff training and hardware maintenance and management | |||||||||||||||||||
| 1129 | Management has established a comprehensive contingency plan that allows for the timely recovery of information This plan is periodically tested and adjusted as appropriate | Has management established a comprehensive contingency plan that allows for the timely recovery of information Is this plan periodically tested and adjusted as appropriate | |||||||||||||||||||
| End-User Computing | |||||||||||||||||||||
| 1130 | Management has implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | Has management implemented a methodology and written policies regarding end-user computing (Management Directive 20543) | |||||||||||||||||||
| Principle 12 ndash Implement Control Activities | |||||||||||||||||||||
| 121 | Control activities are regularly evaluated to ensure that they are still appropriate and working as intended | Are control activities regularly evaluated to ensure that they are still appropriate and working as intended | |||||||||||||||||||
| 122 | Reviews are made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | Are reviews made of actual performance compared to objectives for specific functions or activities focusing on compliance financial and operational issues budgets and performance in prior periods for all major initiatives Management analyzes and follows up as needed | |||||||||||||||||||
| 123 | Management documents in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization Management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | Does management document in policies the internal control responsibilities of the organization which could include the day-to-day procedures and timing of certain control activities within the organization How does management communicate to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities | |||||||||||||||||||
| Information and Communication | |||||||||||||||||||||
| Principle 13 ndash Use Quality Information | |||||||||||||||||||||
| 131 | Management continuously identifies its information requirements needed to communicate effectively both internally and externally This would include managements review of changes to statute regulations economic changes and other factors | How does management continuously identify changes (ie control environment controls internal controls regulations etc)and ensure it is communicated internally andor externally | |||||||||||||||||||
| 132 | Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements | Where and when does management obtain its relevant data (both internally and externally) and how does management ensure that information received is reliable and not reporting false information | |||||||||||||||||||
| 133 | Management processes the obtained data into quality information that supports the internal control system and is effectively communicated throughout the agencys information system | Is management using current complete accurate and accessible information on a timely basis to make informed decisions What reporting mechanisms (ie SAP module manual reports) are being used to run reports to meet the control objectives | |||||||||||||||||||
| Principle 14 ndash Communication Internally | |||||||||||||||||||||
| 141 | Policies and procedures are formally shared with employees up-to-date reflective of actual operating practices in alignment with goals and objectives and comply with state and federal program requirements | How are changes (ie policyprocedural compliance or regulatory) communicated to all employees Are policies and procedures reviewed and updated to reflect changes | |||||||||||||||||||
| 142 | Management ensures that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | How does management ensure that effective internal communications (eg risk management employee specific duties acceptableunacceptable behavior complaintsinquiries system to have improvements recommended or operations employee recognition etc) occur | |||||||||||||||||||
| 143 | Management promotes and fosters trust between employees supervisors and other parties by establishing open channels of communication | Are there open channels of communication in your AgencyAssessable Unit What is the policy for staff to be able to communicate with management including any deficiencies in controls that staff may notice | |||||||||||||||||||
| 144 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all employees (ie flyer hanging in community room email onboarding process) | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all employees | |||||||||||||||||||
| 145 | Management periodically evaluates the accuracy timeliness and relevance of its information and communication systems (ie weekly monthly annually) Management questions information on management reports that appears unusual or inconsistent | What is the process and timeframe to review reports received from subordinates to evaluate accuracy timeliness and relevance of information | |||||||||||||||||||
| Principle 15 ndash Communication Externally | |||||||||||||||||||||
| 151 | Management ensures that effective external communications (eg open channels with customers suppliers contractors consultants other governments complaintsinquiries advice from outside parties etc) occur with groups that can have a serious impact on programs projects operations and other activities including budgeting and financing | Does management have effective communications with important external parties If yes how does management promote these effective communications (ie presentations annual reports press releases news letters) | |||||||||||||||||||
| 152 | An effective whistleblower protection program and fraud hotline is in place and its existence and procedures are known to all vendors contractors and business partners | Does an effective whistleblower protection program and fraud hotline exist Where can this information be found How is this information communicated to all vendors contractors and business partners (ie email) | |||||||||||||||||||
| 153 | Appropriate management reviews occur prior to report submission to parties outside the agency | Does management use professional judgement in regards to what information needs to be reviewed before being released to external parties If yes is this documented in a policy or procedure | |||||||||||||||||||
| Monitoring | |||||||||||||||||||||
| Principle 16 - Perform Monitoring Activities | |||||||||||||||||||||
| 161 | Management establishes a baseline to monitor the internal control system | Has management established a baseline to monitor the internal control system | |||||||||||||||||||
| 162 | Management monitors the internal control system through ongoing monitoring and separate evaluations Ongoing monitoring includes regular management and supervisory activities comparisons reconciliations and other routine actions Separate evaluations include self-assessments as well as audits and other evaluations performed by internal auditors external auditors the inspectors general and other external reviewers Monitoring of the internal control system includes evaluations of the internal controls at the subrecipient and vendor level when applicable | How does management monitor the internal control system on an ongoing basis Does management perform separate evaluations in addition to ongoing monitoring Does management perform these tasks for all appropriate personnel including the subrecipient and vendor level when applicable | |||||||||||||||||||
| 163 | Management undergoes a systematic review and evaluation of each business process deemed critical to the institutionrsquos mission including risks to its reputation | Does management periodically complete a review and evaluation of each mission critical process | |||||||||||||||||||
| 164 | Management provides oversight on securing audit reports of its service organizations and directs them to all pertinent parties for review and follow-up of deficiencies identified in the reports (if applicable) | Does management obtain the appropriate reports (ie SOC reports) from all outside third-party vendors and follow-up on deficiencies noted in the reports If yes how does management follow-up on deficiencies | |||||||||||||||||||
| 165 | Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues and uses this evaluation to determine the effectiveness of the internal control system | How does management document the results of its ongoing monitoring and separate evaluations of internal controls | |||||||||||||||||||
| 166 | Management identifies changes in the internal control system that either have occurred or are needed because of changes in the entity and its environment | How does management assess whether changes in the entity or the entitys environment warrant changes in the internal control system | |||||||||||||||||||
| Principle 17 ndash Evaluate Issues and Remediate Deficiencies | |||||||||||||||||||||
| 171 | Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis | How do employees report deficiencies in internal control to management | |||||||||||||||||||
| 172 | Management evaluates and documents internal control issues both identified internally or via external reviewaudit and determines appropriate corrective action for internal control deficiencies on a timely basis | How does management evaluate and document internal control issues both identified internally or via external reviewaudit to determine appropriate corrective action on a timely basis Is management responsive to findings and recommendations of audits and other reviews Are corrective action plans monitored | |||||||||||||||||||
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Enterprise Risk Management
10 10 10 15 15 15 10 10 5 100
RISK DESCRIPTION Leve
l of d
ocum
ente
d co
ntro
l pr
oced
ures
Size
or v
olum
e
New
pro
duct
s s
ervi
ces
or p
roce
ssin
g sy
stem
s
Pers
onne
l tur
nove
r an
d m
ix
Com
plex
ity
Susc
eptib
ility
to
frau
d
Info
rmat
ion
and
repo
rtin
g
Inhe
rent
Lev
el o
f Risk
to th
e O
rgan
izatio
n
Freq
uenc
y m
entio
ned
durin
g in
terv
iew
s
Tota
l Sco
re
Data Breach The risk that the organizations data is vulnerable from internal or external threats and should any of the data be comprised the Wolf Trap brand would be damaged 2 5 4 3 5 4 5 5 3 405
National Park Service Relationship Risk that the relationship with the national park service does not reflect that of a partner but rather creates additional complexities in order to accomplish business In addition the risk relates to the 2018 renewal of contract with NPS and the impact that specific contract terms has on the efficiency flexibility and capabilities of the organization
3 5 4 3 4 1 2 5 5 335
Age of Venue- Filene Center Risk that investment in the physical structure sound equipment and other venue related technology is unable to be accomplished resulting in an outdated facility that may not support the mission of the organization 3 5 4 3 4 3 1 4 3 335
Succession Planning The risk that Wolf Traprsquos operations would be disrupted particularly within smaller departments due to current employees not available or having the capabilities to fill key positions should those positions be vacated for reasons other than termination
5 2 1 5 3 2 3 5 5 335
Audience Competition The risk that external competition makes it difficult to achieve the organizations mission maintain consistent philanthropic support year to year or adequately manage programming based on other venues desirability and pricing
3 5 3 1 4 2 4 5 5 330
38
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Control Policies and Procedures
bull Develop a template and a location for access and storagendash Sharepoint intranet site guide etc (information and
communication)
bull Policy Componentsndash Identify the riskndash Document the control activitiesndash Strategy for communication
39
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
copy20
17 C
lifto
nLar
sonA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT TAX AND CONSULTING
Internal Audit Management Audit Plan
40
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
twittercomCLAconnectfacebookcomcliftonlarsonallen
linkedincomcompanycliftonlarsonallen
copy20
17 C
lifto
nLar
sonA
llen
LLP
CLAconnectcom
Sean M Walker CPA CFE CGFM CGMSPrincipalSeanWalkerclaconnectcom410-308-8081
41
![Relationship Between Internal Derangement of ... Miguel... · 2013 [Relationship Between Internal Derangement of Temporomandibular Joint and Changes in Body Posture] VIII | Escola](https://img.pdfslide.net/doc/110x75/5e9a4966dd2b54332a11340c/relationship-between-internal-derangement-of-miguel-2013-relationship.jpg)
