155289907a-133 compliance internal control tool
TRANSCRIPT
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
1/43
Compliance
Requirements Objective
Risk Assessment Expected
Control Existing Control
Control Activities Expected
Control
A - Activities
Allowed or
Unallowed
To provide reasonable
assurance that the Program
funds are expended for
allowable activities and that
the cost of goods and
servcies charged to the
program are allowable and
in accordance with the
Federal requirements and,
as applicable, appropriate
cost principles
Management assesses risks
resulting from changes to
cost-accounting systems that
may have an impace on the
progam. In addition, key
managers who oversee the
administration of the progam
have a sufficient
understanding of staff,
processes, and controls to
identify where unallowable
activities or costs could be
charged to the program and
not be detected.
1. Accountability is provided
for charges and costs made
to the program, other Federal
and non-Federal activities.
2. Procedures are in place to
ensure that there is
consistent treatment in the
distribution of charges as
direct and indirect costs to
the program.
3. Organization procedures
are in place for checking the
accuracy of computations.
4. Supporting documentation
is compared to a list of
allowable and unallowable
costs for the program.
5. Adequate segregatoin of
duties are in place in the
review and authorization of
costs charged to the
program.
6. Payments are approved
by a person who is
knowledgeable of therequirements for determining
activities allowed or
unallowed for the program.
B- Allowable
Costs/Cost
Principles
To provide reasonable
assurance that the Program
funds are expended for
allowable activities and that
the cost of goods and
servcies charged to the
program are allowable and
in accordance with theFederal requirements and,
as applicable, appropriate
cost principles
1. Management has
established a process for
assessing risk resulting from
changes to cost accounting
systems. 2.
Key managers have a
sufficient understanding of
staff, processes, and controlsto identify where unallowable
activities or costs could be
charged to a Federal
program and not be detected.
1. There is a process in
place for timely updating of
procedures for changes in
activities allowed and cost
principles.
2. Supporting documentation
is compared to a list of
allowable and unallowableexpenditures. 3.
Adequate segregation of
duties in the review and
authorization of costs.
4. Accountability is provided
for charges and costs
between Federal and non-
Federal activities
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
2/43
Compliance
Requirements Objective
Risk Assessment Expected
Control Existing Control
Control Activities Expected
Control
C- Cash
Management
To provide reasonable
assurance that the draw
down of the Program cash
is only for immediate needs,
states comply with
applicable Treasury
agreements,and recipients
limit payments to
subrecipients to immediate
cash needs
1. There are written
procedures in place to
anticipate, identify, and react
to routine events that affect
progam cash needs.
2. There are written
procedures in place to
assess the adequacy of
subrecipient cash needs.
3. Management is aware of
the cash management
requirements for the
program.
1. The accounting system is
capable of scheduling
payments for accounts
payable and requrests for
funds from the U.S Treasury
to avoid time lapse between
draw downs of funds and
actual disbursement of funds.
2. Reconciliations of cash
draw downs to actual cash
disbursements are performed
monthly. 3. There
are written policies and
procedures for requesting
program cash advances as
reasonable close as possible
to actual program cash
outlays? 4.
There are written procedures
for monitoring of cash
management activities.
5. There are written
procedures in place for
repayment of excess interest
earnings.6. Draw down requests are
reviewed and approved prior
to being drawn down.
D- Davis-Bacon Act To provide reasonable
assurance that contractors
and subcontractors were
properly notified of the
Davis-Bacon Act
requirements and the
required certified payrolls
were submitted to the non-Federal entity.
1. Procedures are in place to
identify contractors and
subcontractors most at risk of
not paying the prevailing
wage rates.
2. Policies and procedures
are in place at the
organization to reduce therisk to an acceptable level.
3. Management has
identified how Davis-Bacon
compliance will be monitored
and the related risks of
failure to monitor compliance.
1. Contractors are informed
in the procurement
documents of the prevailing
wage rates.
2. Contractors and
subcontractors are required
to submit certifications and
copies of payroll documents.3. Contractor and
subcontractor payrolls are
monitored to ensure certified
payrolls are submitted.
E- Eligibility To provide reasonable
assurance that only eligible
individuals and
organizations receive
assistance under Federal
award programs, that
subawards are made only to
eligible subrecipients, and
that the amounts provided
to or on behalf of eligibles
were calculated in
accordance with program
requirements.
1. Risks for program
eligibility are prepared
internally or received from
external sources.
2. Policies and procedures
are in place to reduce the
risk of payments to ineligible
recipeints.
3. Conflict of interest
statements/independence
statements are maintained
for personnel who determine
eligibility for the program.
1. Written policies provide
direction for making and
documenting eligibility
determinations for the
program.
2. Procedures are in place to
provide reasonable
assurance that the methods
used to calculate eligibilty
amounts are consistent with
program requirements.
3. Authorized signatures on
eligibility documents are
periodically reviewed.
4. Access to eligibil ity
records are restricted.
5. Procedures are in place to
provide reasonable
assurance that data is
accurately, properly and
completely used in making
eligibility determinations
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
3/43
Compliance
Requirements Objective
Risk Assessment Expected
Control Existing Control
Control Activities Expected
Control
F- Equipment and
Real Property
Management
To provide reasonable
assurance that proper
records are maintained for
equipment acquired with
Federal awards, equipment
is safeguarded and
maintained, disposition or
encumbrance of any
equipment or real property
is in accordance with
Federal requirements, and
the Federal awarding
agency is appropriately
compensated for i ts share
of any property sold or
converted to non-Federal
use.
1. Management has
identified the risk of
appropriation or improper
disposition of property
acquired with Federal
awards.
2. Procedures are in place to
identify potential areas of
noncompliance.
1. Detailed records are
maintained on all acquisitions
& dispositions of property
acquired with Federal
awards.
2. Property tags are placed
on equipment upon reciept.
3. A physical inventory of
equipment is periodically
taken and compared to
property records.
4. Policies and procedures
are in place covering record
keeping responsibilities &
dispostions.
5. Property records contain
description, (including serial
number), source, who holds
title, acquisition date and
cost, percentage of Federal
participation in the cost,
location, condition &
disposition data.
6. Procedures have been
established to providereimbursement to the Federal
agency for disposition of
property.
G- Matching, Level
of Effort, Earmarking
To provide reasonable
assurance that matching
level of effort, or earmarking
requirements are met using
only allowable funds or
costs that are properly
calculated and valued.
1. Management has
identified areas where
estimated values may be
used for matching, level of
effort or earmarking
purposes.
2. Management has a
sufficient understanding ofthe accounting system so
potential recording problems
may be identified.
1. Evidence pertaining to
matching contributions
obtained from outside
organizations is obtained.
2. The organization has
procedures in place to
identify whether such
matching contributions arefrom non-Federal sources, do
not involve Federal funds, or
were not used for another
federal progam.
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
4/43
Compliance
Requirements Objective
Risk Assessment Expected
Control Existing Control
Control Activities Expected
Control
H- Period of
Availability of
Federal Funds
To provide reasonable
assurance that federal
funds are used only during
the authorized period of
availability.
1. The budgetary process
considers the period of
availability of federal funds
as to both obligation and
disbursement of funds.
2. Management has
assessed the risk that federal
funds will be expended
(obligated) outside the grant
period and policies and
procedures are in place.
1. The accounting system
provides reasonable
assurance that federal funds
will not be expended or
obligated outside (after the
close of) the grant period.
2. Program managers are
advised of impending cut-off
dates for period of
availability.
3. A review of expenditures
is conducted by supervisors
knowledgeable of the period
of availability for the funds.
4. Procedures are in place at
the end of the period of
availability to ensure that the
cancellation of unliquidated
commitments.
I- Procurement and
Suspension and
Debarment
To provide reasonable
assurance that procurement
of goods and services are
made in compliance with
the Provisons of A-102
"Common Rule" and that
covered transactions (as
defined in suspension and
debarment common rule)
are not made with a
debarred or suspended
party.
1. Management has
identified risks arising from
conflict of interest (kickbacks,
related party transactions,
bribery, etc). 2.
Written policies and
procedures are in place to
regarding conflict of interest.
3. Management has
identified risks arising from
vendor adequacy (quality of
goods and services).
4. Conflict of interest
(independence statements)
statements are maintained
for personnel responsible for
the procurement of goods
and services. 5.
Management has identified
where noncompliance could
likely occur for procurement,
suspension and debarment.
1. There are appropriate
segregation of duties
between employees who are
responsible for contracting,
accounts payable, anc cash
disbursing.
2. Written policies and
procedures are in place for
the procurement of goods
and services.
3. Contract files document
significant procurement
history, suspension and
debarment certifications are
obtained from each
prospective vendor.
4. The organization has a
suspension and debarment
policy in place that prohibits
the awarding of a contract,
subaward, or any other
agreement with a suspended
or debarred party.
5. The organization reviews
the contractor's performance
with the terms and conditions
specified in the contract.
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
5/43
Compliance
Requirements Objective
Risk Assessment Expected
Control Existing Control
Control Activities Expected
Control
J- Program Income To provide reasonable
assurance that program
income is correctly earned,
recorded, and used in
accordance with the
Program requirements.
1. Management has
identified the risk of
unrecorded or miscoded
program income.
2. Policies and procedures
are in place with regarrd to
progam income.
3. Management has
established a policy to
analyze variances between
expected and actual income
on a regular basis.
1. Pricing and collection
policy procedures are
communicated to personnel
responsible for program
income.
2. Procedures are in place to
provide reasonable
assurance that progam
income is properly recorded
as earned and deposited in
the bank as collected.
3. Policies and procedures
are in place to assure that
program income will be used
in accordance with federal
program requirements.
4. Policies and procedures
are in place to insure that the
Federal share of net income
from the sale, use, or lease
of property previously
acquired with Federal funds
is used for projects eligible
under 23 USC.
K - Real Property
Acquisition/Relocati
on Assistance
To provide reasonable
assurance of compliance
with the property
acquisition, appraisal,
negotiation, and residential
relocation requirements.
1. Management has
identified the risk that
relocation will not be
conducted in accordance
with the compliance
requirements (e.,g. improper
payements will be made to
individuals or business that
relocate). 2.
Policies and procedures are
in place regarding realproperty acquisition and
relocation assistance
1. Training has been
provided to employees who
handle relocation assistance
and real property acquisition.
2. Reviews and approvals on
all real property acquisition
and relocation assistance
payments are conducted.
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
6/43
Compliance
Requirements Objective
Risk Assessment Expected
Control Existing Control
Control Activities Expected
Control
L- Reporting To provide reasonable
assurance that reports of
Federal awards, submitted
to the federal awarding
agency or pass-through
entity include all activity of
the reporting period, are
supported by underlying
accounting or performance
records, and are presented
fairly in accordance with
program requirements.
1. Management has
identified risks of faulty
reporting caused by such
items as lack of current
knowledge, inconsistent
application, or disregard for
the standards of financial
reporting requirements of
Federal awards.
2. Procedures are in place to
identify underlying financial
source data that may not be
reliable.
1. Written policies are in
place that define employee
responsibilities and provide
procedures for periodic
monitoring, verification, and
reconciliation of financial
reporting.
2. There is a system in place
that reminds staff when
reports are due to the
Federal awarding and/or
pass through agency.
3. There is a general ledger
or other reliable accounting
records that is the basis for
the required Federal financial
reports. 4.
The required accounting
method (cash or accrual) is
used to prepare the Federal
financial reports.
5. The Federal financial
reports are reconciled back
to supporting documentation.
6. Federal financial reportsare reviewed and approved
before they are submitted.
M- Subrecipient
Monitoring
To provide reasonable
assurance that federal
award information and
communication
requirements are identified
to subrecipients,
subrecipient activities are
monitored, subrecipientaudit findings are resolved,
and the impact of any
subrecipient noncompliance
on the pass-through entity
is evaluated. Also, the pass-
through entity should
perform procedures to
provide reasonable
assurance that the
subrecipient obtained
required audits and takes
appropriate corrective
action on audit findings.
1. Managers have the
necessary skill and
experience necessary to
understand the subrecipient
environment, systems, and
controls sufficient so as to
identify the level and
methods of monitoringrequired.
2. Procedures exist to
identify and react to changes
in subrecipients such as
financial problems that could
lead to diversion of funds,
loss of essential personnel,
loss of license or
accreditations to operate the
program, organizational
restructuring, etc.
1. Federal award information
(e.g., CFDA title and number,
award name, name of federal
agency, and amount of
award) and applicable
compliance requirements are
provided to all recipients.
2. The requirement tocomply with all compliance
requirements applicable to all
applicable federal programs,
including the audit
requirements of OMB
Circulare A-133, is included
in all subrecipient
agreements.
3. Performing site visits to
subrecipients to review
financial records and
observing operations is
conducted. 4.
Logging and follow up with all
subrecipients required tosubmit A-133 audit reports is
conducted. 5. A
tracking system is in place to
follow up on reported audit
deficiencies.
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
7/43
Existing Control
Control Environment
Expected Controls
1. Management sets
reasonable budgets for the
program, other Federal and
non-Federal programs so
that no incentive exists to
miscode expenditures.
2. There is organization wide
cognizance for the need of
separate identification of
allowable program costs.
3. Program questioned costs
are resolved in a timely
basis. 4.
There is a list of allowable
and unallowable
expenditures provided to
personnel responsible for
approving expenditures.
1. Management sets
reasonable budgets for the
program, other Federal and
non-Federal programs so
that no incentive exists to
miscode expenditures.
2. Management enforces
appropriate penalties formisappropriation or misuse of
funds.
3. Organization wide
cognizance of need for
separate identification of
allowable Federal costs.
4. Management provides
personnel approving and pre-
auditing expenditures with a
list of allowable and
unallowable expenditures.
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
8/43
Existing Control
Control Environment
Expected Controls
1. Staff is knowledgeable
and has been trained about
program cash management
compliance requirements.
2. The organization's cash
draw down requests from the
U.S Treasury are approved
by a supervisor or manager.
3. Subrecipient cash
payment requests are
approved by a responsible
official.
4. Budgets for cash draw
downs are prepared.
5. Management takes
corrective action plans for
known departures from
approved policies and
procedures.
1. The organization
understands and
communicates to its staff,
contractors and
subcontractors the
requirement to pay wages in
accordance with the Davis-
Bacon Act. 2.The organization takes
appropriate corrective action
for known departures from
approved policies and
procedures.
1. The size and competence
level of the staff is adequate
for making required program
eligibility determinations.
2. Realistic
caseload/performance
targets are established for
program eligibility
determinations.
3. Lines of authority and
responsibility are clear for
determining program
eligibility.
4. Management takes
appropriate corrective action
for known departures from
approved policies and
procedures and program
compliance requirements.
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
9/43
Existing Control
Control Environment
Expected Controls
1. Management is committed
to providing proper
stewardship for property
acquired with Federal funds.
2. Management takes
appropriate action for known
departures from approved
policies and procedures.
3. Procedures are in place to
prevent assets from being
under-valued at the time of
disposition. 4.
Separation of duties is in
place to discourage
tempation of misuse of
Federal assets.
1. Commitment from
management to meet
matching, level of effort, and
earmarking requirements
(e.,g adequate budget
resources to meet a specified
matching rqmnt or maintain a
required level of effort)2. Budget process
address/provides adequate
resources to meet matching,
level of effort, or earmarking
goals.
3. Official written policy
exists outling responsibilities
for determing required
amounts or limits of
matching, level of effort, or
earmarking, methods ov
valuing matching
requirements, allowable
costs that may be claimed,
methods of accounting forand documenting amts used
to calculate amts claimed.
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
10/43
Existing Control
Control Environment
Expected Controls
1. Management is committed
to complying with the period
of availability requirement.
2. Management takes
appropriate action for known
departures from approved
policies and procedures.
1. Codes of conduct and
other policies regarding
acceptable practices,
conflicts of interest, or
expected standards of ethcial
and moral behavior for
making procurement exist
and have been implemented.
2. The procurement policy
and/or manual (which
includes federal
requirements) are made
available to management and
employees. 3.
Management takes
appropriate action for known
departures from approved
policies and procedures and
compliance requirements.
4. There is a clear
assignment of authority for
issuing purchase orders and
contracting for goods and
services. 5.
Management prohibits
intervention or overriding
established procurement
controls.
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
11/43
Existing Control
Control Environment
Expected Controls
1. Management understands
it responsibility for program
income.
2. Management takes
appropriate action for known
departures from approved
policies and procedures.
1. The organization has
written policies and
procedures provding
direction for handling
relocation assistance and
real property acquisition
payments.
2. Management takes
appropriate action for known
departures from approved
policies and procedures.
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
12/43
Existing Control
Control Environment
Expected Controls
1. Management promotes
accurate and fair financial
reporting presentations.
2. Personnel preparing,
reviewing, and approving
reports possess the required
skill and experience.
3. There is appropriate
assignment of responsibility
and delagation of authority
for financial reporting
decions.
4. Management takes
appropriate action for known
departures from approved
policies and procedures and
compliance requirements.
1. Management has a strong
commitment to monitoring
subrecipients. 2.
A structure is in place to
provide the necessary
information flow to monitor
subrecipients adequately.
3. Sufficient resources arededicated to subrecipient
monitoring.
4. Subrecipeints
demonstrate that they are
willing and able to comply
with the requirements of the
award and they have the
accounting systems including
the use of applicable cost
principles, and internal
control systems adequate to
administer the award.
5. Sanctions are taken for
subrecipient noncompliance.
6. Management takesappropriate action for known
departures from approvied
policies and procedures.
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
13/43
RISK ASSESSMENT DOCU
NO: POINTS OF FOCUS
1. ENTITY-WIDE OBJECTIVES
1.1. Describe the entity-wide objectives and key strategies that have been
established. (For: Operations, Financial Reporting, and Compliance)
1.2. Extent to which the entity-wide objectives provide sufficiently broad statements
and guidance on what the entity desires to achieve, yet which are specific
enough to relate directly to this entity.
1.2.1. Management has established entity-wide objectives .
1.3. Effectiveness with which the entity-wide objectives are communicated to
employees and the director.1.3.1. Management obtains feedback from key managers, other employees
and the director signifying that communication to employees is effective.
1.4. Relation and consistency of strategies with entity-wide objectives.
1.4.1. The strategic plan supports the entity-wide objectives.
1.4.2. It addresses high level resource allocations and priorities.
1.5. Consistency of business plans and budgets with entity-wide objectives,
strategic plans and current conditions.
1.5.1. Assumptions inherent in the plans and budgets reflect the entity's
historical experience and current conditions.
2. ACTIVITY-LEVEL OBJECTIVES2.1. Linkage of activity-level objectives with entity-wide objectives and strategic plans.
2.1.1. Activity-level objectives are reviewed from time to time for continued
relevance.
2.2. Consistency of activity-level objectives with each other.
2.3. Relevance of activity-level objectives to all significant business processes.
2.3.1. Objectives are established for key activities in the flows of goods and
services and support activities.
2.3.2. Activity-level objectives are consistent with past practices and perform-
ances or with industry or functional analogues, or the reasons for
variance have been considered.2.3.3. Objectives are established for each significant activity. These include:
2.3.3.1. Operations
2.3.3.2. Service
2.3.3.3. Procurement
2.3.3.4. Planning
2.3.3.5. Processes
2.3.3.6. Analyze and Reconcile
2.3.3.7. Process Payroll
2.3.3.8. Reporting
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
14/43
2.3.3.9. Compliance
2.4. Specificity of activity-level objectives.
2.5. Adequacy of resources relative to objectives.
2.5.1. Plans exist for acquiring necessary resources.
2.6. Identification of objectives that are important to achievement of entity-wide
objectives.
2.6.1. Management has identified what must go right, or where failure must be
avoided, for entity-wide objectives to be achieved.
2.6.2. The objectives serving as critical success factors provide a basis for
particular management focus.
2.7. Involvement of all levels of management in objective setting and extent to
which they are committed to the objectives.
2.7.1. Managers participate in establishing activity objectives for which theyare responsible.
2.7.2. Procedures exist to resolve disagreements.
2.7.3. Managers support the objectives, and do not have "hidden agendas."
3. RISKS
3.1. An entity's risk assessment (RA) process should identify and consider the
implications of relevant risks, at both the entity level and the activity level.
The RA process should consider external and internal factors that could
impact achievement of the objectives, should analyze the risks, and
provide a basis for managing them.
3.2. Adequacy of mechanisms to identify risks arising from external sources.3.2.1. Supply sources
3.2.2. Technology changes
3.2.3. Economic conditions
3.2.4. Political conditions
3.2.5. Regulation
3.2.6. Natural events
3.3. Adequacy of mechanisms to identify risks arising from internal sources.
3.3.1. Human resources; retention of key people.
3.3.2. Information systems; adequacy of back-up systems.
3.4. Identification of significant risks for each significant activity-level objective.
3.5. Thoroughness and relevance of the risk analysis process, including estimating
the significance of risks, assessing the likelihood of their occurring and
determining needed actions.
3.5.1. The identified risks are relevant to the corresponding activity objective.
4. MANAGING CHANGE
4.1. Existence of mechanisms to anticipate, identify and react to routine events
or activities that affect achievement of entity or activity-level objectives.
4.1.1. Routine changes are addressed as part of the normal risk identification
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
15/43
analysis process, or through separate mechanisms.
4.2. Existence of mechanisms to identify and react to changes that can have a
more dramatic and pervasive effect on the entity, and may demand the
attention of top management.
4.2.1. Changed operating environment
4.2.2. New personnel
4.2.3. New or redesigned information systems
4.2.4. Rapid growth
4.2.5. New technology
4.2.6. New activities and acquisitions
4.2.7. Agency restructuring
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
16/43
ENTATION
CONCLUSIONS / ACTIONS NEEDED
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
17/43
Risk is identified as:
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
18/43
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
19/43
CONTROL ACTIVITIES DOCUMENTATION
NO: POINTS OF FOCUS CONCLUSIONS / ACTIONS NEEDED
1. Control activities encompass a wide range of policies and the relatedimplementation procedures that help ensure that management's directives
are effected. They help ensure that those actions identified as necessary to
address risks to achieve the entity's objectives are carried out.
1.1. Existence of appropriate policies and procedures necessary with respect to
each of the entity's activities.
1.1.1. All relevant objectives and associated risks for each significant activity
should have been identified in conjunction with evaluating Risk
Assessment.
1.2. Identified control activities in place are being applied properly.
1.2.1. Supervisory personnel review the functioning of controls.
1.2.2. Controls described in policy manuals are actually applied and are applied
the way that they're supposed to be.
1.2.3. Appropriate and timely action is taken on exceptions or information
that requires follow-up.
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
20/43
INFORMATION & COMMUNICATION D
NO: POINTS OF FOCUS
1. INFORMATION
Information is identified, captured, processed and reported by information
systems. Relevant information includes industry, economic and regulatory
information obtained from external sources, as well as internally generatedinformation.
1.1. Obtaining external and internal information, and providing management
with necessary reports on the entity's performance relative to established
objectives.
1.1.1. Mechanisms are in place to obtain relevant external information.
1.1.2. Internally generated information critical to achievement of the entity's
objectives, including that relative to critical success factors, is identified
and regularly reported.
1.1.3. The information that managers need to carry out their responsibilities is
reported to them.
1.2. Providing information to the right people in sufficient detail and on time to enable
them to carry out their responsibilities efficiently and effectively.
1.2.1. Managers receive analytical information that enables them to identify
what action needs to be taken.
1.2.2. Information is provided at the right level of detail for different levels of
management.
1.2.3. Information is summarized appropriately, providing pertinent information
while permitting closer inspection of details as needed rather than just
a "sea of data."
1.2.4. Information is available on a timely basis to allow effective monitoring
of events and activities.
1.3. Development or revision of information systems based on a strategic planfor information systems-linked to the agency's overall strategy- and responsive
to achieving the entity-wide and activity-level objectives.
1.3.1. A mechanism is in place for identifying emerging information needs.
1.3.2. A long-range information technology plan has been developed and
linked with strategic initiatives.
1.4. Management's support for the development of necessary information systems
is demonstrated by the commitment of appropriate resources-human and financial.
1.4.1. Sufficient resources are provided.
2. COMMUNICATION
2.1. Communication is inherent in information processing. Communication alsotakes place in a broader sense, dealing with expectations and responsibilities
of individuals and groups. Effective communication must occur down, across
and up an organization and with parties external to the organization.
2.2. Effectiveness with which employees' duties and control responsibilities are
communicated.
2.2.1. Employees understand how their duties affect, and are affected by,
duties of other employees.
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
21/43
2.3. Establishment of channels of communication for people to report
suspected improprieties.
2.3.1. Anonymity is permitted
2.3.2. Employees actually use the communication channel.
2.3.3. Persons who report suspected improprieties are provided feedback,
and have immunity from reprisals.
2.4. Receptivity of management to employee suggestions of ways to enhance
productivity, quality or other similar improvements.
2.4.1. Management acknowledges good employee suggestions by
providing cash awards or other meaningful recognition.
2.4.2. Realistic mechanisms are in place for employees to provide recom-
mendations for improvement.
2.5. Adequacy of communication across the organization and the completeness
and timeliness of information and its sufficiency to enable people to discharge
their responsibilities effectively.
2.6. Openness and effectiveness of channels with customers, suppliers and other
external parties for communication information on changing customer needs.
2.6.1. Feedback mechanisms with all pertinent parties exist.
2.6.2. Suggestions, complaints and other input are captured and communicated
to relevant internal parties.
2.6.3. Information is reported upstream as necessary and follow-up action taken.
2.7. Extent to which outside parties have been made aware of the entity's
ethical standards.
2.7.1. Senior executive periodically explains in writing the entity's ethical
standards to outside parties.2.7.2. Suppliers, customers and others know the entity's standards and
expectations regarding actions in dealing with the entity.
2.7.3. Such standards are reinforced in routine dealings with outside parties.
2.8. Timely and appropriate follow-up action by management resulting from
communications received from customers, vendors, regulators or other
external parties.
2.8.1. Personnel are receptive to reported problems regarding products,
services or other matters, and such reports are investigated and acted upon.
2.8.2. Errors in customer billings are corrected, and the source of the error is
investigated and corrected.
2.8.3. Appropriate personnel-independent of those involved with the original
transaction-process complaints.
2.8.4. Top management is aware of the nature and volume of complaints.
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
22/43
CUMENTATION
CONCLUSIONS / ACTIONS NEEDED
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
23/43
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
24/43
MONITORING DOCUMEN
NO: POINTS OF FOCUS
1. ONGOING MONITORING
Ongoing monitoring occurs in the ordinary course of operations, and includes
regular management and supervisory activities, and other actions personnel
take in performing their duties that assess the quality of internal controlsystem performance.
1.1. Extent to which personnel, in carrying out their regular activities, obtain
evidence as to whether the system of internal control continues to function.
1.1.1. Operating management compares production, inventory, sales or other
information obtained in the course of their daily activities to systems-
generated information.
1.1.2. Integration or reconciliation of operating information used to manage
operations with data generated by the financial reporting system.
1.1.3. Operating personnel are required to "sign off" on the accuracy of their
unit's financial statements, and are held responsible if errors are discovered.
1.2. Extent to which communications from external parties corroborate internally
generated information, or indicate problems.
1.2.1. Customers implicitly corroborate billing data by paying their invoices,
or customer complaints about billings-indicating system deficiencies in
the processing of sales transaction-are investigated for their underlying
causes.
1.2.2. Communications from vendors and monthly statements of accounts payable
are used as a control monitoring technique.
1.2.3. Suppliers' complaints of unfair practices by purchasing agents are
fully investigated.
1.2.4. Regulators communicate information to the entity regarding compliance
or other matters that reflect on the functioning of the internal control
system.1.2.5. Controls that should have prevented or detected the problems are
reassessed.
1.3. Periodic comparison of amounts recorded by the accounting system with
physical assets.
1.3.1. Inventory levels are checked when goods are taken from inventory
storage for shipment, and differences between recorded and actual
amounts are corrected.
1.3.2. Securities held in trust are counted periodically and compared with
existing records.
1.4. Responsiveness to internal and external auditor recommendationson means to strengthen internal controls.
1.4.1. Executives with proper authority decide which of the auditors'
recommendation will be implemented.
1.4.2. Desired actions are followed up to verify implementation.
1.5. Extent to which training seminars, planning sessions and other meetings
provide feedback to management on whether controls operate effectively.
1.5.1. Relevant issues and questions raised at training seminars are captured.
1.5.2. Employee suggestions are communicated upstream and acted on as
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
25/43
appropriate.
1.6. Whether personnel are asked periodically to state whether they understand
and comply with the entity's code of conduct and regularly perform
critical control activities.
1.6.1. Personnel are required periodically to acknowledge compliance with
the code of conduct.
1.6.2. Signatures are required to evidence performance of critical control
functions, such as reconciling specified amounts.
1.7. Effectiveness of internal audit activities.
1.7.1. There are appropriate levels of competent and experienced staff.
1.7.2. Their position within the organization is appropriate.
1.7.3. They have access to the Director.
1.7.4. Their scope, responsibilities and audit plans are appropriate
to the organization's needs.
2. SEPARATE EVALUATIONS
It is useful to take a fresh look at the internal control system from time
to time, focusing directly on system effectiveness. The scope and frequency
of separate evaluations will depend primarily on an assessment of risks,
and ongoing monitoring procedures.
2.1. Scope and frequency of separate evaluations of the internal control systems.
2.1.1. Appropriate portions of the internal control system are evaluated.
2.1.2. The evaluations are conducted by personnel with the requisite skills.
2.1.3. The scope, depth of coverage and frequency are adequate.
2.2. Appropriateness of the evaluation process.2.2.1. The evaluator gains a sufficient understanding of the entity's activities.
2.2.2. An understanding is obtained of how the system is supposed to work
and how it actually does work.
2.2.3. An analysis is made, using the evaluation results as measured
against established criteria.
2.3. Whether the methodology for evaluating a system is logical and appropriate.
2.3.1. Such methodology includes checklists, questionnaires or other tools.
2.3.2. The evaluation team is brought together to plan the evaluation process
and ensure a coordinated effort.
2.3.3. The evaluation process is managed by an executive with
requisite authority.
3. REPORTING DEFICIENCIES
Internal control deficiencies should be reported upstream with certain
matters reported to top management and the board.
3.1. Existence of mechanism for capturing and reporting identified internal control
deficiencies.
3.1.1. From both internal sources and external sources.
3.1.2. Resulting from ongoing monitoring or separate evaluations.
3.2. Appropriateness of reporting protocols.
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
26/43
3.2.1. Deficiencies are reported to the person directly responsible for the
activity and to a person at least one level higher.
3.2.2. Specified types of deficiencies are reported to more senior management
and to the board.
3.3. Appropriateness of follow-up actions.
3.3.1. The transaction or event identified is corrected.
3.3.2. The underlying causes of the problem are investigated.
3.3.3. There is follow-up to ensure the necessary corrective action is taken.
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
27/43
TATION
CONCLUSIONS / ACTIONS NEEDED
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
28/43
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
29/43
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
30/43
CONTROL ENVIRONMENT DOCU
NO: POINTS OF FOCUS
1. INTEGRITY AND ETHICAL VALUES
1.1. Existence and implementation of codes of conduct and other policies regard-
ing acceptable business practice, conflicts of interest, or expected standards
of ethical and moral behavior.
1.1.1. Codes are periodically acknowledged by all employees.1.1.2. Employees understand what behavior is aceptable or unacceptable, and
know what to do if they encounter improper behavior.
1.2. Establishment of the "tone at the top" -including explicit moral guidance about
what is right and wrong.
1.2.1. Management appropriately deals with signs that problems exist, e.g.,
hazardous wastes, defective work, etc.
1.2.2. Commitment to integrity and ethics is communicated effectively throughout
the agency, both in words and deeds.
1.3. Appropriateness of remedial action taken in response to departures from
approved policies and procedures or violations of the code of conduct.1.3.1. Management responds to violations of behavioral standards.
1.3.2. Employees believe that if caught violating behavioral standards,
they'll suffer the consequences.
1.4. Managements attitude towards intervention or overriding established controls.
1.4.1. Manager override is explicitly prohibited.
1.4.2. Deviations from established policies are investigated and documented.
2. COMMITMENT TO COMPETENCE
2.1. Formal or informal job descriptions or other means of defining tasks that
comprise particular jobs.
2.2. Analysis of the knowledge and skills needed to perform jobs adequately.2.2.1. Evidence exists indicating that employees appear to have the
requisite knowledge and skills.
3. MANAGEMENT'S PHILOSOPHY AND OPERATING STYLE
3.1. Nature of business risks accepted, e.g., whether management often enters
into particularly high-risk ventures, or is extremely conservative in
accepting risks.
3.2. Personnel turnover in key functions.
3.2.1. There has been excessive turnover of mgmt or supervisory personnel.
3.2.2. There is a pattern to turnover.
3.3. Frequency of interaction between senior management and operating mgmt,
particularly when operating from geographically removed locations.
3.4. Attitudes and actions toward financial reporting, including disputes over
application of accounting treatments.
3.4.1. Estimates do not stretch facts to the edge of reasonableness and beyond.
4. ORGANIZATIONAL STRUCTURE
4.1. Appropriateness of the entity's organizational structure, and its ability to pro-
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
31/43
vide the necessary information flow to manage its activities.
4.1.1. The organizational structure is appropriately centralized or decentralized
given the nature of the entity's operations.
4.2. Adequacy of definition of key managers' responsibilities, and their under-
standing of these responsibilities.
4.2.1. Responsibilities and expectations are communicated clearly.
4.3. Adequacy of knowledge and experience of key managers in light of responsibilities.
4.3.1. Executives in charge have the required knowledge, experience and
training to perform their duties.
4.4. Appropriateness of reporting relationships.
4.5. Sufficient numbers of employees exist, particularly in management and
supervisory capacities.
4.5.1. Managers and supervisors have sufficient time to carry out their
responsibilities effectively.
4.5.2. Managers and supervisors work excessive overtime and are fulfilling
the responsibilities of more than one employee.
5. ASSIGNMENT OF AUTHORITY AND RESPONSIBILITY
5.1. Assignment of responsibility and delegation of authority to deal with organi-
zational goals and objectives, operating functions and regulatory requirements,
including responsibility for information systems and authorizations for changes.
5.1.1. Responsibility for decisions is related to assignment of authority and
responsibility.
5.2. Appropriateness of control-related standards and procedures, including
employee job descriptions.
5.2.1. Job descriptions exist.
5.2.2. They contain specific references to control related responsibilities.
5.3. Appropriate numbers of people, particularly with respect to data processing and
accounting functions, with the requisite skill levels relative to the size of the
entity and nature and complexity of activities and systems.
5.3.1. They have an adequate workforce to carry out mission.
5.4. Appropriateness of delegated authority in relation to assigned responsibilities.
5.4.1. Employees at the "right" level are empowered to correct problems or
implement improvements, and empowerment is accompanied by
appropriate levels of competence and clear boundaries of authority.
6. HUMAN RESOURCE POLICIES AND PRACTICES
6.1. Extent to which policies and procedures for hiring, training, promoting and
compensating employees are in place.
6.1.1. Level of attention given to recruiting and training the right people is
appropriate.
6.2. Extent to which people are made aware of their responsibilities and
expectations of them.
6.2.1. Supervisory personnel meet periodically with employees to review job
performance and suggestions for improvement.
6.3. Appropriateness of remedial action taken in response to departures
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
32/43
from approved policies and procedures.
6.3.1. Employees understand that ineffective performance will result in
remedial consequences.
6.4. Extent to which personnel policies address adherence to appropriate
ethical and moral standards.
6.4.1. Integrity and ethical values are criterion in performance appraisals.
6.5. Adequacy of employee candidate background checks, particularly
with regard to prior actions or activities considered to be unacceptable
by the entity.
6.5.1. Candidates with frequent job changes or gaps in employment history
are subjected to particularly close scrutiny.
6.6. Adequacy of employee retention and promotion criteria and information-
gathering techniques and relation to the code of conduct or other
behavioral guidelines.
6.6.1. Promotion and salary increase criteria are detailed clearly so that
individuals know what management expects prior to promotions or
advancement.
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
33/43
ENTATION
CONCLUSIONS / ACTIONS NEEDED
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
34/43
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
35/43
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
36/43
OVERALL INTERNAL CONTROL SYSTEM EVALUATION DO
NO: INTERNAL CONTROL COMPONENTS PRELIMINARY CONCLUSIONS
ACTIONS NEEDED
1. CONTROL ENVIRONMENT
1.1. Does management adequately convey the
message that integrity cannot be compromised?
1.2. Does a positive control environment exist,
whereby there is an attitude of control con-
sciousness throughout the organization, and a
positive "tone at the top"?
1.3. Is the competence of the entity's people com-
menusrate with their responsibilities?
1.4. Is management's operating style, the way it
assigns authority and responsibility, and organ-
izes and develops its people appropriate?
1.5. Does the Director provide the right level of
attention?
2. RISK ASSESSMENT
2.1. Are entity-wide objectives and supporting activity-
level objectives established and linked?
2.2. Are the internal and external risks that influence
the success or failure of the achievement
of the objectives identified and assessed?
2.3. Are mechanisms in place to identify changes af-
fecting the entity's ability to achieve its objectives?
2.4. Are policies and procedures modified as needed?
3. CONTROL ACTIVITIES
3.1. Are control activities in place to ensure adher-
ence to established policy and the carrying out
of actions to address the related risks?
3.2. Are there appropriate control activities for each
of the entity's activities?
4. INFORMATION AND COMMUNICATION
4.1. Are information systems in place to identify and
capture pertinent information-financial and non-
financial, relating to external and internal events-
and bring it to personnel in a form that enables
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
37/43
them to carry out their responsibilities?
4.2. Does communication of relevant information
take place?
4.3. Is it clear with respect to expectations and re-
sponsibilities of individuals and groups, and
reporting of results?
4.4. And does communication occur down, across
and upward in the entity, as well as between
the entity and other parties?
5. MONITORING
5.1. Are appropriate procedures in place to monitor on
an ongoing basis, or to periodically evaluate the
functioning of the other components of IC?
5.2. Are deficiencies reported to the right people?
5.3. Are policies and procedures modified as needed?
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
38/43
UMENTATION
ADDITIONAL
CONSIDERATIONS
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
39/43
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
40/43
End of Period Financial Statements
Process Control Objective Risk Control Considerations P/D
Assertion
E,A,C,V,PThe following functions should be segregated: E,A,C,V,P
Authorization of transactions
Execution of transactions
Recording of transactions
Reconciliations
Consolidations
Maintenance of master files & tables
Access rules adequately support segregation of duties.
New general ledger accounts are approved before entry
into the system.
P E,A,C
Changes to tables are authorized before entry into the
system.
P E,A
Edits and validation procedures prevent invalid data from
entering the system.
P C,A
System reports of changes to master file/tables are
independently verified to the source documents.
D A
Master file/table
data does not
remain accurate
Master File/Table data is periodically reviewed by
management.
D A
AREAS TO CONSIDER:
Foreign currency
Investments
Allowance for doubtful accounts
Asset impairment
Depreciation of assets
Amortization of pre-paids and intangibles
Warranty reserves
Pension and OPEB liabilities
LIFO or lower of cost or market calculations
Accruals
Income taxes (current and deferred)
Transactions are reviewed (including assumptions for
transaction calculations) and properly authorized prior to
entry into the system.
E,A,V
Asset /
Liability
Estimations
and
Valuations
Estimations and
valuations are recorded
accurately, completely
and on a timely basis.
Assets and
liabilities may not
be properly stated
Master File
Maintenance
Changes to the general
ledger/ consolidation
master files and relatedtables, or similar tools,
are properly
authorized, accurate
and recorded timely
Unauthorized
additions/changes
can be made to themaster files/tables
Audit Area
Segregation
of Duties
Accounting functions
are properly
segregated.
Unauthorized and
inaccurate
transactions may
be recorded
Page 40 of 43
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
41/43
Process Control Objective Risk Control Considerations P/D
Assertion
E,A,C,V,P D
Supporting schedules are reconciled to the general ledger. E,A,C
Entries/account balances are reviewed against: budgets,
source documents, other metrics and reports and
compliance with GAAP.
E,A,C,V
FOR FOREIGN EXCHANGE
Rates used for translation of both foreign currency
transactions and balances are compared to published rates.A
FOR DEPRECIATION AND AMORTIZATION
The system automatically calculates the expense and posts
to the proper ledgers.A
Edit checks exist to prevent depreciation/amortization in
excess of the original value of the asset.A
Accounting department is notified of and considers
acquisitions, transfers, sales and abandonments of assets in
computing depreciation/amortization.
A
FOR INCOME TAXES
Details of sources of tax information are prepared,
updated, and compared to items recorded during the
accounting period prior to period end to determine
whether all events and transactions with significant tax
consequences and book-to-tax differences have been
identified and accounted for.
C,A
Calculation of the tax provision and changes to the
deferred tax accounts and any valuation allowances are
performed by knowledgeable personnel on a timely basis
and are independently reviewed.
C,E,A,V
The tax provision and deferred tax accounts are reconciled
to the tax return on a timely basis.
C,E,A
Only appropriate and authorized people can transfer data
to the general ledger.
C,E,ATransfers
from Sub-
ledgers
Transfer entries from
other systems are
accurate, complete and
The general ledger
may not be
accurate and
Page 41 of 43
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
42/43
Process Control Objective Risk Control Considerations P/D
Assertion
E,A,C,V,P
All sub-ledger totals by account are compared to the
general ledger system.
C,E,A
The completed general ledger closing checklist is reviewed
by management.
C,E,A
The prior periods closing balance is reconciled to the
current periods opening balance.
C,E,A
All reconciliations are reviewed by management. C,E,A
Management reviews all suspense accounts and resolves
all items before the close.
C,E,A
Reconciliations of all inter-company accounts are
performed and reviewed by management.
C,E,A
The completed consolidation checklist is reviewed by
management.
C,E,A
The financial statements in the consolidation package are
reconciled to the trial balances from each entitys general
ledger, including any post-closing (top-side) adjustments.
C,E,A
All consolidating and eliminating entries are reviewed by
management.
C,E,A,V
All top-side entries are properly authorized. E,V
Only authorized and appropriate individuals can post top-
side entries.
E,V
Adequate audit trails exist for all top-side entries. E,A,V
Top-side entries are compared to source documents after
they are entered into the system or otherwise reviewed by
management.
C,E,A,V
Management has established and documented a process for
preparing and reviewing financial statements based on the
accumulation of the relevant data from throughout the
company.
C,E,A,V,PPreparation
of the
Financial
Statements
Financial statements
are prepared accurately
and timely.
Financial
statements may be
misstated
Consolida-
tions
Corporate
consolidations are
complete and accurate.
Corporate
consolidations are
inaccurate
Unauthorized top-
side entries can be
made
General
Ledger Close
All valid entries are
updated to the
appropriate accounts
prior to period-end
closing.
All entries may not
be reflected
properly in the
general ledger.
Inter-
company
Accounts
Inter-company
accounts are recorded
completely, accurately
and in a timely manner.
Inter-company
accounts may not
be properly
eliminated
basis.
.
Page 42 of 43
-
7/30/2019 155289907A-133 Compliance Internal Control Tool
43/43
Process Control Objective Risk Control Considerations P/D
Assertion
E,A,C,V,P D
Applicability of new accounting pronouncements is
considered, documented, and communicated to appropriate
personnel throughout the company.
C,E,A,V.P
Financial statement account groupings are prepared
consistently with prior periods, and are reviewed by
management.
C,E,A,V,P
Financial statements are independently reconciled to the
appropriate supporting schedules.
C,E,A
Financial statements are tested for clerical accuracy. A
The completed disclosure checklist is reviewed by
management.
P
Management and the board of directors review and
approve the financial statements, including the related
footnotes.
C,E,A,V,P
The footnotes are reconciled to supporting documentation. C,E,A
Final
Financial
Statements
and
Disclosures
All necessary contents
and disclosures are
included in the
financial statements.
Contents or format
of financial
statements may be
incorrect or
missing
disclosures.