Entities receiving federal funds, in accordance with 200.303 of the Uniform Guidance (UG), must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award. The section goes on to say, these internal controls should be in compliance with either the “Standards for Internal Control in the Federal Government” (the ‘Green Book’) or the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organization of the Treadway Commission (COSO). Your auditors will be looking to ensure that your organization has a tight system of internal control, as they are required to test your internal control over major programs in a Single Audit. Weaknesses in this area may result in audit findings. But even independently of the consequences of audit findings, weaknesses in internal control make your organization more vulnerable to fraud risk and undetected errors. We recommend that you review the questionnaire below to take an honest look at your organization’s level of internal controls and to identify areas that need addressed. Note the areas listed below are not intended to be used as a ‘be all/end-all checklist’ of required characteristics as depending on the size/structure of your organization and the philosophy of your management you may have different apparatuses in place that meet your particular needs. Smaller entities typically lack the capacity to have all of the areas listed below implemented. However, with foresight, even smaller organizations can develop systems and processes that meet effective standards for internal control.
Listed below is a summary of Green Book and COSO Components and Principles of Internal Control:
- Demonstrate commitment to integrity and ethical values.
- Exercise oversight responsibility
- Establish structure, responsibility and authority
- Demonstrate commitment to competence
- Enforce accountability
- Define objectives and risk tolerances
- Identify, analyze, and respond to risks
- Assess fraud risk
- Identify, analyze, and respond to change
- Design control activities
- Design activities for the information system
- Implement control activities
Information and Communication
- Use quality information
- Communicate internally
- Communicate externally
- Perform monitoring activities
- Evaluate issues and remediate deficiencies
Part 6 – Internal Control of the Compliance Supplement (CS) is a great tool for your use. Appendix 1 includes illustrations of entity-wide internal controls over Federal Awards while Appendix 2 illustrates internal controls specific to each type of compliance requirement.
Entity-wide controls are considered governance controls that apply to most, if not all, types of compliance requirements for one or more federal programs. These are discussed in Part 6 in terms of the following components: control environment, risk assessment, information and communication, and monitoring.
The areas below are a portion of Illustrative Entity-Wide Controls taken from Appendix 1 of the Compliance Supplement. This listing is meant as a higher level version of questions your organization can ask themselves. Please read the CS for a more robust listing. These areas align with the Principles of Green Book/COSO:
The oversight body and Management should demonstrate a commitment to integrity and values
-Does your organization have a documented code of conduct that is communicated to employees and regularly updated?
-Do you obtain conflict of interest statements from those charged with governance (TCWG) and your key management personnel and other personnel as necessary?
The oversight body should oversee the entity’s internal control system.
-Does a whistle blower submission process exist to receive and evaluate concerns by employees regarding questionable practices inclusive of issues impacting federal award compliance/non-compliance?
-Does your organization have an audit committee, and do they address federal compliance oversight?
-Do the TCWG have effective two-way communication with external and internal auditors?
Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives.
-Do your written policies, procedures and organizational charts provide for segregation of duties within and among processes and controls?
-Are there policies and procedures in place to ensure compliance responsibilities are assigned to particular positions?
Management should demonstrate a commitment to recruit, develop, and retain competent individuals.
-Do job descriptions include appropriate knowledge and skill requirements?
-Are personnel with federal award compliance responsibilities properly trained on their responsibilities?
Management should evaluate performance and hold individuals accountable for their internal control responsibilities.
-Do violations of the code of conduct result in remedial actions to deter others?
-Are there consequences for non-compliance with the code of conduct, and are they communicated and enforced?
-Are penalties for inappropriate behavior adequate and publicized?
Management should define objectives clearly to enable the identification of risks and define risk tolerances.
-Has Management established an effective risk assessment process that includes the use of a specific risk matrix?
-Has Management identified key compliance objectives for types of compliance requirements?
Management should identify, analyze, and respond to risks related to achieving the defined objectives.
-Does Management analyze and identify compliance risks?
-Are risk mitigation strategies implemented by Management?
Management should consider the potential for fraud when identifying, analyzing, and responding to risks.
-Does Management review audit findings to identify fraud risks?
-Do TCWG periodically review a report of the potential fraud risks identified and actions taken in response to those risks?
Management should identify, analyze, and respond to significant changes that could impact the internal control system.
-Does Management identify changes such as new personnel, new technology, expanded operations, rapid growth, or changes in the operating environment and conduct risk assessments to address those changes?
-Is a communication process with regulators in place to identify changes in compliance requirements?
-Are changes in philosophies or employee turnover evaluated by Management for any potential impact on related controls?
Management should use quality information to achieve the entity’s objectives.
-Do the financial and programmatic systems capture, accurately process, and timely report pertinent information?
-Does the accounting system provide for separate identification of federal and non-federal transactions?
-Are reports provided timely to managers for review and appropriate action?
-Does Management verify the sources and reliability of information used in making management decisions and executing monitoring controls?
When information is derived from the organization’s information technology (IT) systems:
-Do written policies and procedures regarding IT security exist?
-Regarding managing user access rights, are rights approved and granted based on job responsibilities?
-Are rights, including super user access reviewed periodically?
-Is access revoked in a timely manner where appropriate?
-Are remote and third-party access rights managed to include timely revocation of rights?
Management should internally communicate the necessary quality information to achieve the entity’s objectives.
-Is relevant internal and external information communicated and delivered to employees responsible for federal award compliance on a timely basis?
-Do effective channels for communication throughout the organization exist?
Management should externally communicate the necessary quality information to achieve the entity’s objectives.
-Is relevant information communicated to external parties including subrecipients, vendors, federal granting agencies, and third-party processors on a timely basis?
-Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results.
-Does Management monitor the effective operation of critical control activities?
-Does Management monitor the reconciliation of key performance indicators with data from financial or other reporting systems, including reconciliation with data from financial or other reporting systems to ensure its accuracy?
Management should remediate identified internal control deficiencies on a timely basis.
-Are findings, recommendations and other observations by independent auditors, internal auditors, and federal auditors distributed and reviewed by those individuals responsible for compliance with federal requirements?
-Does Management periodically monitor the corrective action plans related to known noncompliance and control deficiencies and the organization’s progress to remediating the findings?
This was just a high-level look at Appendix 1 of the compliance supplement, Part 6-Internal Control. The discussion of Control Activities (Principles 10-12) in the Green Book/COSO framework are addressed in Appendix 2 and are a discussion for another day. Please feel free to review Appendix 2 on your own to look at Illustrative Specific Controls for each of the 12 compliance areas noted for federal awards.