skip navigation

Budget Policy & Reporting Manual

B-350

Governmental Internal ControlAnd Internal Audit Requirements

Effective Date 08/30/2007 Printable PDF version

I. Purpose and Scope

This Item outlines efforts required of State agencies and public authorities to comply with the Governmental Accountability, Audit and Internal Control Act of 1999 (the Internal Control Act or the Act). This Item is being revised to address recommendations included in the Internal Control Task Force’s report issued in September 2006, and to update the list of agencies covered by the Act and the list of agencies required to establish and maintain an internal audit function. This item provides guidance on internal control responsibilities, internal audit responsibilities, internal control certification and reporting, and professional standards. The primary purpose of these activities is to enhance the integrity of government operations, provide reasonable oversight of State operations, ensure State funds and resources are used efficiently and effectively, and give reasonable assurance that State assets and resources are appropriately protected and managed.

This Item covers any State department, agency or other governmental entity performing a function for the State, and any public authority or public benefit corporation, a majority of whose members are appointed by the Governor or serve as members by virtue of holding State offices to which they were appointed by the Governor, other than a bi-state authority or public benefit corporation, the Judiciary and the State Legislature.

To identify all State agencies and authorities for the purpose of implementing the provisions of this Item, the Director of the Budget issues and periodically revises a Schedule of Covered State Agencies and Authorities Subject to Internal Control Requirements (see Attachment A). Public authorities should utilize this Item in conjunction with any reporting requirements pursuant to the Public Authorities Accountability Act of 2005 and any guidance from the Authority Budget Office.

II. Internal Control Responsibilities

The Internal Control Act defines internal control as the integration of activities, plans, attitudes, policies, systems, resources and efforts of the people of an organization working together to provide reasonable assurance that the organization will achieve its objectives and mission.

Agency heads and authority boards are accountable for implementing effective internal controls in their entities, including assuring there are appropriate controls for all programs, regional offices, facilities, boards, commissions, committees and councils. These internal controls should be consistent with State laws, rules, regulations, and applicable statewide administrative and financial practices.

The Standards for Internal Controls in New York State Government, issued by the Office of the State Comptroller (OSC), recognizes evaluation, strategic planning and internal audit as activities supporting a good internal control system. As appropriate, management should coordinate and integrate documentation and reporting of these complementary processes, to avoid redundancies and duplication of effort.

This Item requires State agencies and public authorities to perform the following internal control responsibilities consistent with the Act’s six requirements:

  1. Establish and maintain guidelines for a system of internal controls for the agency or authority. Internal control guidelines communicate an organization’s management and programmatic objectives to its employees and provide the methods and procedures used to assess the effectiveness of its internal controls in supporting those objectives.

    Internal control guidelines should include:
    1. State the agency head’s support of internal controls to provide staff with an understanding of the benefits of effective controls;
    2. Identify the agency’s primary responsibilities and the objectives;
    3. Explain how internal controls are organized and managed;
    4. Define responsibilities of agency management and supervisors and agency staff;
    5. Acknowledge that internal controls adhere to accepted standards; and,
    6. Describe the organization’s process for evaluating internal controls.
  2. Establish and maintain a system of internal controls and a program of internal control review for the agency or authority. The system of internal control should be developed using the COSO (Committee of Sponsoring Organizations of the Treadway Commission) conceptual framework adopted in the Standards for Internal Controls in New York State Government, and should incorporate COSO’s five basic components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring.
    The program of internal control review shall be a structured, continuing and well-documented system designed to identify internal control weaknesses, identify actions that are needed to correct these weaknesses, monitor the implementation of necessary corrective actions and periodically assess the adequacy of agency’s or authority’s internal controls.
    Organizations can adopt a system of internal control review tailored to their needs, size, and degree of centralization. The procedures for evaluating the adequacy of that system also vary, but at a minimum should:
    1. Identify and clearly document the primary operating responsibilities (functions) of the agency or authority;
    2. Define the objectives of these functions so they are easily understood by staff accountable for carrying out the functions;
    3. Identify and document the policies and procedures used to execute functions;
    4. Identify the major functions of each of the agency’s assessable units;
    5. Develop a process or cycle to assess risk and test controls for the major functions;
    6. Assess the risks and consequences associated with controls failing to promote the objectives of major functions;
    7. Test internal controls to ensure they are working as intended (see the “Manager’s Testing Guide”);
    8. Institute a centrally monitored process to document, monitor and report deficiencies and corrective actions.
  3. Make available to each officer and employee of the agency or authority a clear and concise statement of the generally applicable management policies and standards with which the officer or employee of such agency or authority shall be expected to comply, along with detailed policies and procedures the employees are expected to adhere to in completing their work. . The statement should set the tone at the top. It should be issued periodically and emphasize the importance of effective internal controls to the agency or authority and the responsibility of each officer and employee for effective internal controls.
    Managerial policies and procedures for the performance of specific functions are articulated in administrative manuals, employee handbooks, job descriptions, and applicable policy and procedure manuals. While it is not necessary for all employees to possess all manuals, employees should be provided with, or have access to, applicable policies and procedures for their position.
  4. Designate an Internal Control Officer (ICO), who shall report to the head of the agency or authority or to their designee within the executive office, to implement and review the internal control responsibilities established pursuant to this Item. The designation of the ICO should also be communicated to employees. The ICO works with appropriate personnel within the agency or authority to coordinate the internal control activities and to help ensure that the internal control program meets the responsibilities established by this Item. Although the ICO evaluates the adequacy of the internal control reviews performed by agency or authority staff, program and line managers are primarily responsible for conducting reviews to assure adherence to controls, and analyzing and improving control systems. The ICO should be an individual with sufficient authority to act on behalf of the agency head in implementing and reviewing the agency’s internal control program. This individual should have a broad knowledge of agency operations, personnel, and policy objectives.
  5. Implement education and training efforts to ensure that officers and employees have achieved adequate awareness and understanding of internal control standards and, as appropriate, evaluation techniques. Agencies and authorities should identify staff requiring internal control training and the depth and content of that training. Such education and training should be on-going with specific courses directed at line staff, middle managers and executive management. For organizations that have established internal audit functions, training and education should be offered on the appropriate role of the internal auditor within the organization’s internal control system.
  6. Periodically evaluate the need to establish, maintain or modify an internal audit (IA) function. The Director of the Budget has established a list of agencies required to establish IA functions (see Section III below).

III. Internal Audit Responsibilities

The Internal Control Act’s sixth and final requirement pertains to covered State agencies’ need for an internal audit function. The Act defines internal audit as an appraisal activity established by management for reviewing agency operations to assure compliance with management policies and the effectiveness of internal controls. The internal audit function evaluates agency’s processes for risk management, internal controls, and governance; identifies control weaknesses; and makes recommendations to correct these weaknesses.

Pursuant to the Act, internal audits are to be conducted in conformance with generally accepted standards for internal auditing. The standards define this activity as an independent, objective assurance and consulting service designed to add value and improve an organization’s operations. The internal audit activities should help accomplish objectives by having a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

While all agencies are required to have internal controls, all agencies may not warrant an internal audit function. Based on a preliminary evaluation by agencies, the Director of the Division of the Budget determined that about one third of all State agencies are required to have an internal audit (IA) function. However, all agencies are encouraged to consider the need for an internal audit function.

The current List of Agencies Required to Establish and Maintain an Internal Audit Function is included as Attachment B to this Item. Agencies included on this list are generally those with: varied and complex programs; decentralized organizational structures; large budgets; significant revenue, grant or reimbursement functions; or major regulatory or investigatory responsibilities.

Pursuant to the Act, the internal audit function shall be managed by a Director of Internal Audit (DIA), appointed by the agency head based on candidates’ internal audit credentials, education and experience. The Act requires that the DIA position be in the exempt class and appointments to this position must be approved by the Director of the Division of the Budget. The DIA shall report directly to the State agency head or their designated executive deputy or equivalent position.

  1. Evaluating the Need for Internal Audit
    Pursuant to the Act, agencies and authorities are required to periodically evaluate the need to establish, maintain or modify an IA function.
    1. Agencies and authorities can utilize the Internal Audit Evaluation Criteria (Attachment C) as a tool to assess the need for an IA unit.
      1. Agencies concluding that an IA function is warranted should submit Attachment C to DOB’s Administrative and Information Technology Services Unit which will coordinate a review and determination with the appropriate examination unit.
      2. Agencies with IA functions should review current operations to determine whether those operations should be altered or maintained and should assess whether having an audit committee would be beneficial and appropriate for the agency. More information on audit committees, including a sample audit committee charter, can be located at the Authority Budget Office’s website at http://www.abo.state.ny.us/recommendedpractices.
    2. Agencies without an IA function should periodically reevaluate the need for such a function using Attachment C, especially when organizational, operating, fiscal, program, legal, or personnel changes occur which affect the agency’s exposure to risk or which could otherwise change the results of the initial assessment
    3. Although public authorities are not required to submit an internal audit evaluation to the Division of the Budget, the governing board of each authority is required to determine the need for an IA function and to periodically review that initial assessment.
  2. Creating Director of Internal Audit Positions
    Once an agency has been required to establish an internal audit unit, it must define the exact duties of the Director of Internal Audit position consistent with accepted internal audit standards and develop specific qualifications within the parameters of the minimum and preferred qualifications (outlined below) that will be required for the position.
    Concurrent with this effort, agencies must also obtain formal Civil Service Commission approval to place the Director of Internal Audit position in the exempt class. For more information on obtaining Civil Service Commission approval for placing the Director of Internal Audit position in the exempt class, please contact the Department of Civil Service's Division of Classification and Compensation at (518) 474-1011.
  3. Appointing Directors of Internal Audit
    1. Effective performance as a Director of Internal Audit (DIA) requires a broad base of experience and skills. DIAs should have knowledge of governmental operations and be able to identify management, organizational, and operating problems and assess their implications. They should possess effective communication skills to articulate audit objectives, findings and recommendations in a clear, concise and convincing manner. DIAs must be good supervisors, trainers and evaluators of employees. They must possess good interpersonal skills so they can deal effectively with auditees and other staff. Underlying these skills should be a working knowledge of professional auditing standards, and goals and techniques of internal auditing or program evaluation.
    2. Pursuant to the Act, the Budget Director shall review and approve all appointments to DIA positions as part of the regular review of agencies’ requests for Budget Director Approval (BDA) forms. As part of the review, DOB shall take appropriate steps to ensure that appointments to DIA positions conform – to the extent practicable – to the minimum and preferred qualifications outlined below.
    3. As a guideline, when recruiting individuals for appointment to DIA positions, agencies should consider the following:
      1. Minimum Qualifications
        • An undergraduate degree (or equivalent combination of education and experience);
        • Five years of progressively responsible experience conducting or managing one or more of the following: audits, examinations, or program reviews, including two years in a supervisory capacity;
      2. Preferred Qualifications (beyond minimum qualifications)
        • Professional certification, such as Certified Internal Auditor (CIA), Certified Public Accountant (CPA), or Certified Information Systems Auditor (CISA);
        • Master’s degree in accounting, business, public administration, economics, management, or a field closely related to the agency’s service sector;
      3. Desired Knowledge, Skills and Abilities
        • Extensive knowledge of professional audit standards;
        • Demonstrated oral and written communication skills;
        • Experience focusing on the activities of the respective agency’s service sector; and
        • Extensive knowledge of government operations.
    4. Once a candidate has been selected, the agency should forward its recommendation and BDA form to the Governor’s Appointments Office. DOB will then review the request and make a final recommendation to the Governor’s Appointments Office. As a supplement to the BDA, agencies should submit the candidate’s resume, an organization and staffing plan for the IA unit, and other supporting documentation as requested by DOB.
  4. Complying with Internal Audit Standards and Guidance
    Pursuant to this Item, agencies identified in Attachment B as being required to have – and those entities choosing to have – an internal audit unit should comply with The Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing. Also, State agencies should understand: 1) The New York State Office of the State Comptroller’s (OSC) Standards for Internal Controls in New York State Government; and 2) that agencies will be evaluated accordingly in any audits performed by OSC. Additionally, IA units should comply with the internal audit guidance outlined as follows regarding organizational placement, independence and reporting.
    1. Directors of Internal Audit (DIA) should report functionally to the agency head or audit committee and may report administratively to the designated executive deputy (or equivalent position). If the executive deputy has line or staff duties, the DIA should report directly to the agency head.
    2. A current organizational chart should be available upon request that identifies the placement of the IA unit, the individual that has responsibility for overseeing the internal audit activity, and any other organizations or activities that may be under the purview of the DIA.
    3. The IA function should be independent of the Internal Control Officer (ICO), but should work closely with the ICO. Limitations should be established on internal control activities where those duties overlap. Agencies should identify impairments to the independence of the DIA that may be created where the DIA is performing the ICO function. Furthermore, IA units should not assume operating responsibilities, perform management functions, make management decisions, or assume other monitoring roles (e.g., Information Security Officer).
    4. Internal audit staff should complete an annual independence statement identifying actual/potential impairments to independence and notifying the DIA whenever a new actual/potential impairment arises.
    5. At a minimum, DIAs should hold quarterly meetings with agency executive management and the audit committee, where applicable, to report on audit results. Final reports should be distributed to the agency head, executive deputy, auditee, ICO and the audit committee.
    6. The DIA should assure that agency audit staff have the skills, knowledge and ability to perform the audit work required, and that the size of the audit staff is appropriate given the size and complexity of the organization.
    7. IA units should take appropriate steps to ensure sufficient audit resources are available given the size and complexity of the organization. This can be accomplished by exploring the following alternatives:
      1. Insourcing (i.e., using agency staff from a unit other than internal audit to work on a project or audit);
      2. Outsourcing (i.e., contracting with an independent auditor, including both certified public accounting firms and other State agency internal audit units, for specific audit services); and
      3. Sharing audit resources and best practices with other agencies.

      For more information on accomplishing appropriate audit coverage with limited resources, please refer to the Internal Control Task Force’s (ICTF) report entitled, “Internal Audit Outsourcing, Insourcing and Shared Services” which can be found at the following website:
      www.osc.state.ny.us/agencies/ictf/docs/implement_guide_20060907.pdf

IV. Annual Internal Control Certification and Reporting

  1. Internal Control Certification
    On or before March 31 annually, the head of each covered State agency or authority, who has met the responsibilities outlined above, submits a compliance certificate to the Director of the Budget. Through this document, to be transmitted as shown in Attachment D, the official affirms that his or her agency or authority has complied with the six specific requirements of the Internal Control Act as outlined in Sections II and III of this item.
  2. Internal Control Summary Report
    The certification should be accompanied by an “Internal Control Summary Report,” which provides a brief overview of the major internal control activities undertaken during the year, including a description of the management actions to strengthen internal controls, and a synopsis of key findings and corrective actions. The “Internal Control Summary Report” format is presented to agencies each year in a Budget Bulletin calling for the annual certifications.
    The annual “Internal Control Summary Report” has agencies report on:
    1. The internal control review and testing process, high-risk activities and those areas which were reviewed.
    2. The significant deficiencies revealed by the review process; summarizing the actions taken to eliminate deficiencies and describing the system used to monitor corrective actions.
    3. Education and training provided to keep staff aware of internal controls and to sustain the effectiveness of the internal control program.
    4. Where appropriate, information on the entity’s IA unit, including details on organizational placement, independence and reporting; the qualifications of the DIA; and the processes used by the unit to organize, manage and operate its internal audit activities and processes (e.g., risk analysis, audit planning, work papers, audit committee, continuing professional education, peer review, etc.).
  3. Compliance Plan
    Any agency or authority head who is unable to certify should submit by March 31 an outline and timetable of actions to achieve compliance and subsequent certification as soon as practicable.

V. Adherence to Professional Standards

  1. Internal Control Standards
    State agencies and authorities should design and maintain internal control systems in conformance with generally accepted professional standards, including Standards for Internal Controls in New York State Government, promulgated by the Office of the State Comptroller (OSC). These standards can be located at OSC’s website at http://www.osc.state.ny.us/agencies/ictf/docs/intcontrol_stds.pdf.
  2. Internal Audit Standards
    Professional standards for internal auditing address the basic principles of independence, professional qualifications of staff, nature of the audit work, procedures to be followed in conducting audits, and management of the IA function. The Institute of Internal Auditors’ (IIA) Standards for the Professional Practice of Internal Auditing can be viewed on IIA’s website at http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/full-standards/. State agencies required to establish and maintain internal audit units pursuant to this Item must operate those units in accordance with these standards or equivalent standards. Agencies and authorities not required by this Item to operate IA units, but which elect to do so, also must conform to these standards or equivalent standards.

VI. References

  1. Standards for Internal Controls in New York State Government, Office of the State Comptroller, can be located at OSC’s website at http://www.osc.state.ny.us/agencies/ictf/docs/intcontrol_stds.pdf.
  2. Internal Control – Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, can be located at the COSO website at http://www.coso.org/.
  3. Standards for the Professional Practice of Internal Auditing, The Institute of Internal Auditors, can be located at the IIA website at http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/full-standards/.
  4. Public Authority Accountability Act (Chapter 766 of the Laws of 2005), The Authority Budget Office, can be located at the ABO website at http://www.abo.state.ny.us/.
  5. New York State Internal Control Association (NYSICA), NYSICA provides internal control and internal audit information, best practices, sample documents and forms, and free training and staff development to member State agencies and public authorities and can be located at the NYSICA website at http://www.nysica.com/

Top of Page  |  BPRM Home Page