155289907A-133 Compliance Internal Control Tool

7/30/2019 155289907A-133 Compliance Internal Control Tool

1/43

Compliance

Requirements Objective

Risk Assessment Expected

Control Existing Control

Control Activities Expected

Control

A - Activities

Allowed or

Unallowed

To provide reasonable

assurance that the Program

funds are expended for

allowable activities and that

the cost of goods and

servcies charged to the

program are allowable and

in accordance with the

Federal requirements and,

as applicable, appropriate

cost principles

Management assesses risks

resulting from changes to

cost-accounting systems that

may have an impace on the

progam. In addition, key

managers who oversee the

administration of the progam

have a sufficient

understanding of staff,

processes, and controls to

identify where unallowable

activities or costs could be

charged to the program and

not be detected.

1. Accountability is provided

for charges and costs made

to the program, other Federal

and non-Federal activities.

2. Procedures are in place to

ensure that there is

consistent treatment in the

distribution of charges as

direct and indirect costs to

the program.

3. Organization procedures

are in place for checking the

accuracy of computations.

4. Supporting documentation

is compared to a list of

allowable and unallowable

costs for the program.

5. Adequate segregatoin of

duties are in place in the

review and authorization of

costs charged to the

program.

6. Payments are approved

by a person who is

knowledgeable of therequirements for determining

activities allowed or

unallowed for the program.

B- Allowable

Costs/Cost

Principles


assurance that the Program

funds are expended for

allowable activities and that

the cost of goods and

servcies charged to the

program are allowable and

in accordance with theFederal requirements and,

as applicable, appropriate

cost principles

1. Management has

established a process for

assessing risk resulting from

changes to cost accounting

systems. 2.

Key managers have a

sufficient understanding of

staff, processes, and controlsto identify where unallowable

activities or costs could be

charged to a Federal

program and not be detected.

1. There is a process in

place for timely updating of

procedures for changes in

activities allowed and cost

principles.

2. Supporting documentation

is compared to a list of

allowable and unallowableexpenditures. 3.

Adequate segregation of

duties in the review and

authorization of costs.

4. Accountability is provided

for charges and costs

between Federal and non-

Federal activities


2/43

Compliance





Control

C- Cash

Management


assurance that the draw

down of the Program cash

is only for immediate needs,

states comply with

applicable Treasury

agreements,and recipients

limit payments to

subrecipients to immediate

cash needs

1. There are written

procedures in place to

anticipate, identify, and react

to routine events that affect

progam cash needs.



assess the adequacy of

subrecipient cash needs.

3. Management is aware of

the cash management

requirements for the

program.

1. The accounting system is

capable of scheduling

payments for accounts

payable and requrests for

funds from the U.S Treasury

to avoid time lapse between

draw downs of funds and

actual disbursement of funds.

2. Reconciliations of cash

draw downs to actual cash

disbursements are performed

monthly. 3. There

are written policies and

procedures for requesting

program cash advances as

reasonable close as possible

to actual program cash

outlays? 4.

There are written procedures

for monitoring of cash

management activities.


procedures in place for

repayment of excess interest

earnings.6. Draw down requests are

reviewed and approved prior

to being drawn down.

D- Davis-Bacon Act To provide reasonable

assurance that contractors

and subcontractors were

properly notified of the

Davis-Bacon Act

requirements and the

required certified payrolls

were submitted to the non-Federal entity.


identify contractors and

subcontractors most at risk of

not paying the prevailing

wage rates.

2. Policies and procedures

are in place at the

organization to reduce therisk to an acceptable level.

3. Management has

identified how Davis-Bacon

compliance will be monitored

and the related risks of

failure to monitor compliance.

1. Contractors are informed

in the procurement

documents of the prevailing

wage rates.

2. Contractors and

subcontractors are required

to submit certifications and

copies of payroll documents.3. Contractor and

subcontractor payrolls are

monitored to ensure certified

payrolls are submitted.

E- Eligibility To provide reasonable

assurance that only eligible

individuals and

organizations receive

assistance under Federal

award programs, that

subawards are made only to

eligible subrecipients, and

that the amounts provided

to or on behalf of eligibles

were calculated in

accordance with program

requirements.

1. Risks for program

eligibility are prepared

internally or received from

external sources.


are in place to reduce the

risk of payments to ineligible

recipeints.

3. Conflict of interest

statements/independence

statements are maintained

for personnel who determine

eligibility for the program.

1. Written policies provide

direction for making and

documenting eligibility

determinations for the

program.


provide reasonable

assurance that the methods

used to calculate eligibilty

amounts are consistent with

program requirements.

3. Authorized signatures on

eligibility documents are

periodically reviewed.

4. Access to eligibil ity

records are restricted.


provide reasonable

assurance that data is

accurately, properly and

completely used in making

eligibility determinations


3/43

Compliance





Control

F- Equipment and

Real Property

Management


assurance that proper

records are maintained for

equipment acquired with

Federal awards, equipment

is safeguarded and

maintained, disposition or

encumbrance of any

equipment or real property

is in accordance with

Federal requirements, and

the Federal awarding

agency is appropriately

compensated for i ts share

of any property sold or

converted to non-Federal

use.

1. Management has

identified the risk of

appropriation or improper

disposition of property

acquired with Federal

awards.


identify potential areas of

noncompliance.

1. Detailed records are

maintained on all acquisitions

& dispositions of property

acquired with Federal

awards.

2. Property tags are placed

on equipment upon reciept.

3. A physical inventory of

equipment is periodically

taken and compared to

property records.


are in place covering record

keeping responsibilities &

dispostions.

5. Property records contain

description, (including serial

number), source, who holds

title, acquisition date and

cost, percentage of Federal

participation in the cost,

location, condition &

disposition data.

6. Procedures have been

established to providereimbursement to the Federal

agency for disposition of

property.

G- Matching, Level

of Effort, Earmarking


assurance that matching

level of effort, or earmarking

requirements are met using

only allowable funds or

costs that are properly

calculated and valued.

1. Management has

identified areas where

estimated values may be

used for matching, level of

effort or earmarking

purposes.

2. Management has a

sufficient understanding ofthe accounting system so

potential recording problems

may be identified.

1. Evidence pertaining to

matching contributions

obtained from outside

organizations is obtained.

2. The organization has


identify whether such

matching contributions arefrom non-Federal sources, do

not involve Federal funds, or

were not used for another

federal progam.


4/43

Compliance





Control

H- Period of

Availability of

Federal Funds


assurance that federal

funds are used only during

the authorized period of

availability.

1. The budgetary process

considers the period of

availability of federal funds

as to both obligation and

disbursement of funds.

2. Management has

assessed the risk that federal

funds will be expended

(obligated) outside the grant

period and policies and

procedures are in place.

1. The accounting system

provides reasonable

assurance that federal funds

will not be expended or

obligated outside (after the

close of) the grant period.

2. Program managers are

advised of impending cut-off

dates for period of

availability.

3. A review of expenditures

is conducted by supervisors

knowledgeable of the period

of availability for the funds.

4. Procedures are in place at

the end of the period of

availability to ensure that the

cancellation of unliquidated

commitments.

I- Procurement and

Suspension and

Debarment


assurance that procurement

of goods and services are

made in compliance with

the Provisons of A-102

"Common Rule" and that

covered transactions (as

defined in suspension and

debarment common rule)

are not made with a

debarred or suspended

party.

1. Management has

identified risks arising from

conflict of interest (kickbacks,

related party transactions,

bribery, etc). 2.

Written policies and

procedures are in place to

regarding conflict of interest.

3. Management has

identified risks arising from

vendor adequacy (quality of

goods and services).

4. Conflict of interest

(independence statements)

statements are maintained

for personnel responsible for

the procurement of goods

and services. 5.

Management has identified

where noncompliance could

likely occur for procurement,

suspension and debarment.

1. There are appropriate

segregation of duties

between employees who are

responsible for contracting,

accounts payable, anc cash

disbursing.

2. Written policies and

procedures are in place for

the procurement of goods

and services.

3. Contract files document

significant procurement

history, suspension and

debarment certifications are

obtained from each

prospective vendor.

4. The organization has a

suspension and debarment

policy in place that prohibits

the awarding of a contract,

subaward, or any other

agreement with a suspended

or debarred party.

5. The organization reviews

the contractor's performance

with the terms and conditions

specified in the contract.


5/43

Compliance





Control

J- Program Income To provide reasonable

assurance that program

income is correctly earned,

recorded, and used in

accordance with the

Program requirements.

1. Management has

identified the risk of

unrecorded or miscoded

program income.


are in place with regarrd to

progam income.

3. Management has

established a policy to

analyze variances between

expected and actual income

on a regular basis.

1. Pricing and collection

policy procedures are

communicated to personnel

responsible for program

income.


provide reasonable

assurance that progam

income is properly recorded

as earned and deposited in

the bank as collected.


are in place to assure that

program income will be used

in accordance with federal



are in place to insure that the

Federal share of net income

from the sale, use, or lease

of property previously

acquired with Federal funds

is used for projects eligible

under 23 USC.

K - Real Property

Acquisition/Relocati

on Assistance


assurance of compliance

with the property

acquisition, appraisal,

negotiation, and residential

relocation requirements.

1. Management has

identified the risk that

relocation will not be

conducted in accordance

with the compliance

requirements (e.,g. improper

payements will be made to

individuals or business that

relocate). 2.

Policies and procedures are

in place regarding realproperty acquisition and

relocation assistance

1. Training has been

provided to employees who

handle relocation assistance

and real property acquisition.

2. Reviews and approvals on

all real property acquisition

and relocation assistance

payments are conducted.


6/43

Compliance





Control

L- Reporting To provide reasonable

assurance that reports of

Federal awards, submitted

to the federal awarding

agency or pass-through

entity include all activity of

the reporting period, are

supported by underlying

accounting or performance

records, and are presented

fairly in accordance with


1. Management has

identified risks of faulty

reporting caused by such

items as lack of current

knowledge, inconsistent

application, or disregard for

the standards of financial

reporting requirements of

Federal awards.


identify underlying financial

source data that may not be

reliable.

1. Written policies are in

place that define employee

responsibilities and provide

procedures for periodic

monitoring, verification, and

reconciliation of financial

reporting.

2. There is a system in place

that reminds staff when

reports are due to the

Federal awarding and/or

pass through agency.

3. There is a general ledger

or other reliable accounting

records that is the basis for

the required Federal financial

reports. 4.

The required accounting

method (cash or accrual) is

used to prepare the Federal

financial reports.

5. The Federal financial

reports are reconciled back

to supporting documentation.

6. Federal financial reportsare reviewed and approved

before they are submitted.

M- Subrecipient

Monitoring


assurance that federal

award information and

communication

requirements are identified

to subrecipients,

subrecipient activities are

monitored, subrecipientaudit findings are resolved,

and the impact of any

subrecipient noncompliance

on the pass-through entity

is evaluated. Also, the pass-

through entity should

perform procedures to

provide reasonable

assurance that the

subrecipient obtained

required audits and takes

appropriate corrective

action on audit findings.

1. Managers have the

necessary skill and

experience necessary to

understand the subrecipient

environment, systems, and

controls sufficient so as to

identify the level and

methods of monitoringrequired.

2. Procedures exist to

identify and react to changes

in subrecipients such as

financial problems that could

lead to diversion of funds,

loss of essential personnel,

loss of license or

accreditations to operate the

program, organizational

restructuring, etc.

1. Federal award information

(e.g., CFDA title and number,

award name, name of federal

agency, and amount of

award) and applicable

compliance requirements are

provided to all recipients.

2. The requirement tocomply with all compliance

requirements applicable to all

applicable federal programs,

including the audit

requirements of OMB

Circulare A-133, is included

in all subrecipient

agreements.

3. Performing site visits to

subrecipients to review

financial records and

observing operations is

conducted. 4.

Logging and follow up with all

subrecipients required tosubmit A-133 audit reports is

conducted. 5. A

tracking system is in place to

follow up on reported audit

deficiencies.


7/43

Existing Control

Control Environment

Expected Controls

1. Management sets

reasonable budgets for the

program, other Federal and

non-Federal programs so

that no incentive exists to

miscode expenditures.

2. There is organization wide

cognizance for the need of

separate identification of

allowable program costs.

3. Program questioned costs

are resolved in a timely

basis. 4.

There is a list of allowable

and unallowable

expenditures provided to

personnel responsible for

approving expenditures.

1. Management sets

reasonable budgets for the

program, other Federal and

non-Federal programs so

that no incentive exists to

miscode expenditures.

2. Management enforces

appropriate penalties formisappropriation or misuse of

funds.

3. Organization wide

cognizance of need for

separate identification of

allowable Federal costs.

4. Management provides

personnel approving and pre-

auditing expenditures with a

list of allowable and

unallowable expenditures.


8/43

Existing Control

Control Environment

Expected Controls

1. Staff is knowledgeable

and has been trained about

program cash management

compliance requirements.

2. The organization's cash

draw down requests from the

U.S Treasury are approved

by a supervisor or manager.

3. Subrecipient cash

payment requests are

approved by a responsible

official.

4. Budgets for cash draw

downs are prepared.

5. Management takes

corrective action plans for

known departures from

approved policies and

procedures.

1. The organization

understands and

communicates to its staff,

contractors and

subcontractors the

requirement to pay wages in

accordance with the Davis-

Bacon Act. 2.The organization takes

appropriate corrective action

for known departures from


procedures.

1. The size and competence

level of the staff is adequate

for making required program

eligibility determinations.

2. Realistic

caseload/performance

targets are established for

program eligibility

determinations.

3. Lines of authority and

responsibility are clear for

determining program

eligibility.

4. Management takes

appropriate corrective action

for known departures from


procedures and program



9/43

Existing Control

Control Environment

Expected Controls

1. Management is committed

to providing proper

stewardship for property

acquired with Federal funds.

2. Management takes

appropriate action for known

departures from approved

policies and procedures.


prevent assets from being

under-valued at the time of

disposition. 4.

Separation of duties is in

place to discourage

tempation of misuse of

Federal assets.

1. Commitment from

management to meet

matching, level of effort, and

earmarking requirements

(e.,g adequate budget

resources to meet a specified

matching rqmnt or maintain a

required level of effort)2. Budget process

address/provides adequate

resources to meet matching,

level of effort, or earmarking

goals.

3. Official written policy

exists outling responsibilities

for determing required

amounts or limits of

matching, level of effort, or

earmarking, methods ov

valuing matching

requirements, allowable

costs that may be claimed,

methods of accounting forand documenting amts used

to calculate amts claimed.


10/43

Existing Control

Control Environment

Expected Controls

1. Management is committed

to complying with the period

of availability requirement.

2. Management takes




1. Codes of conduct and

other policies regarding

acceptable practices,

conflicts of interest, or

expected standards of ethcial

and moral behavior for

making procurement exist

and have been implemented.

2. The procurement policy

and/or manual (which

includes federal

requirements) are made

available to management and

employees. 3.

Management takes



policies and procedures and


4. There is a clear

assignment of authority for

issuing purchase orders and

contracting for goods and

services. 5.

Management prohibits

intervention or overriding

established procurement

controls.


11/43

Existing Control

Control Environment

Expected Controls

1. Management understands

it responsibility for program

income.

2. Management takes




1. The organization has

written policies and

procedures provding

direction for handling

relocation assistance and

real property acquisition

payments.

2. Management takes





12/43

Existing Control

Control Environment

Expected Controls

1. Management promotes

accurate and fair financial

reporting presentations.

2. Personnel preparing,

reviewing, and approving

reports possess the required

skill and experience.

3. There is appropriate

assignment of responsibility

and delagation of authority

for financial reporting

decions.

4. Management takes



policies and procedures and


1. Management has a strong

commitment to monitoring

subrecipients. 2.

A structure is in place to

provide the necessary

information flow to monitor

subrecipients adequately.

3. Sufficient resources arededicated to subrecipient

monitoring.

4. Subrecipeints

demonstrate that they are

willing and able to comply

with the requirements of the

award and they have the

accounting systems including

the use of applicable cost

principles, and internal

control systems adequate to

administer the award.

5. Sanctions are taken for

subrecipient noncompliance.

6. Management takesappropriate action for known

departures from approvied



13/43

RISK ASSESSMENT DOCU

NO: POINTS OF FOCUS

1. ENTITY-WIDE OBJECTIVES

1.1. Describe the entity-wide objectives and key strategies that have been

established. (For: Operations, Financial Reporting, and Compliance)

1.2. Extent to which the entity-wide objectives provide sufficiently broad statements

and guidance on what the entity desires to achieve, yet which are specific

enough to relate directly to this entity.

1.2.1. Management has established entity-wide objectives .

1.3. Effectiveness with which the entity-wide objectives are communicated to

employees and the director.1.3.1. Management obtains feedback from key managers, other employees

and the director signifying that communication to employees is effective.

1.4. Relation and consistency of strategies with entity-wide objectives.

1.4.1. The strategic plan supports the entity-wide objectives.

1.4.2. It addresses high level resource allocations and priorities.

1.5. Consistency of business plans and budgets with entity-wide objectives,

strategic plans and current conditions.

1.5.1. Assumptions inherent in the plans and budgets reflect the entity's

historical experience and current conditions.

2. ACTIVITY-LEVEL OBJECTIVES2.1. Linkage of activity-level objectives with entity-wide objectives and strategic plans.

2.1.1. Activity-level objectives are reviewed from time to time for continued

relevance.

2.2. Consistency of activity-level objectives with each other.

2.3. Relevance of activity-level objectives to all significant business processes.

2.3.1. Objectives are established for key activities in the flows of goods and

services and support activities.

2.3.2. Activity-level objectives are consistent with past practices and perform-

ances or with industry or functional analogues, or the reasons for

variance have been considered.2.3.3. Objectives are established for each significant activity. These include:

2.3.3.1. Operations

2.3.3.2. Service

2.3.3.3. Procurement

2.3.3.4. Planning

2.3.3.5. Processes

2.3.3.6. Analyze and Reconcile

2.3.3.7. Process Payroll

2.3.3.8. Reporting


14/43

2.3.3.9. Compliance

2.4. Specificity of activity-level objectives.

2.5. Adequacy of resources relative to objectives.

2.5.1. Plans exist for acquiring necessary resources.

2.6. Identification of objectives that are important to achievement of entity-wide

objectives.

2.6.1. Management has identified what must go right, or where failure must be

avoided, for entity-wide objectives to be achieved.

2.6.2. The objectives serving as critical success factors provide a basis for

particular management focus.

2.7. Involvement of all levels of management in objective setting and extent to

which they are committed to the objectives.

2.7.1. Managers participate in establishing activity objectives for which theyare responsible.

2.7.2. Procedures exist to resolve disagreements.

2.7.3. Managers support the objectives, and do not have "hidden agendas."

3. RISKS

3.1. An entity's risk assessment (RA) process should identify and consider the

implications of relevant risks, at both the entity level and the activity level.

The RA process should consider external and internal factors that could

impact achievement of the objectives, should analyze the risks, and

provide a basis for managing them.

3.2. Adequacy of mechanisms to identify risks arising from external sources.3.2.1. Supply sources

3.2.2. Technology changes

3.2.3. Economic conditions

3.2.4. Political conditions

3.2.5. Regulation

3.2.6. Natural events

3.3. Adequacy of mechanisms to identify risks arising from internal sources.

3.3.1. Human resources; retention of key people.

3.3.2. Information systems; adequacy of back-up systems.

3.4. Identification of significant risks for each significant activity-level objective.

3.5. Thoroughness and relevance of the risk analysis process, including estimating

the significance of risks, assessing the likelihood of their occurring and

determining needed actions.

3.5.1. The identified risks are relevant to the corresponding activity objective.

4. MANAGING CHANGE

4.1. Existence of mechanisms to anticipate, identify and react to routine events

or activities that affect achievement of entity or activity-level objectives.

4.1.1. Routine changes are addressed as part of the normal risk identification


15/43

analysis process, or through separate mechanisms.

4.2. Existence of mechanisms to identify and react to changes that can have a

more dramatic and pervasive effect on the entity, and may demand the

attention of top management.

4.2.1. Changed operating environment

4.2.2. New personnel

4.2.3. New or redesigned information systems

4.2.4. Rapid growth

4.2.5. New technology

4.2.6. New activities and acquisitions

4.2.7. Agency restructuring


16/43

ENTATION

CONCLUSIONS / ACTIONS NEEDED


17/43

Risk is identified as:


18/43


19/43

CONTROL ACTIVITIES DOCUMENTATION

NO: POINTS OF FOCUS CONCLUSIONS / ACTIONS NEEDED

1. Control activities encompass a wide range of policies and the relatedimplementation procedures that help ensure that management's directives

are effected. They help ensure that those actions identified as necessary to

address risks to achieve the entity's objectives are carried out.

1.1. Existence of appropriate policies and procedures necessary with respect to

each of the entity's activities.

1.1.1. All relevant objectives and associated risks for each significant activity

should have been identified in conjunction with evaluating Risk

Assessment.

1.2. Identified control activities in place are being applied properly.

1.2.1. Supervisory personnel review the functioning of controls.

1.2.2. Controls described in policy manuals are actually applied and are applied

the way that they're supposed to be.

1.2.3. Appropriate and timely action is taken on exceptions or information

that requires follow-up.


20/43

INFORMATION & COMMUNICATION D

NO: POINTS OF FOCUS

1. INFORMATION

Information is identified, captured, processed and reported by information

systems. Relevant information includes industry, economic and regulatory

information obtained from external sources, as well as internally generatedinformation.

1.1. Obtaining external and internal information, and providing management

with necessary reports on the entity's performance relative to established

objectives.

1.1.1. Mechanisms are in place to obtain relevant external information.

1.1.2. Internally generated information critical to achievement of the entity's

objectives, including that relative to critical success factors, is identified

and regularly reported.

1.1.3. The information that managers need to carry out their responsibilities is

reported to them.

1.2. Providing information to the right people in sufficient detail and on time to enable

them to carry out their responsibilities efficiently and effectively.

1.2.1. Managers receive analytical information that enables them to identify

what action needs to be taken.

1.2.2. Information is provided at the right level of detail for different levels of

management.

1.2.3. Information is summarized appropriately, providing pertinent information

while permitting closer inspection of details as needed rather than just

a "sea of data."

1.2.4. Information is available on a timely basis to allow effective monitoring

of events and activities.

1.3. Development or revision of information systems based on a strategic planfor information systems-linked to the agency's overall strategy- and responsive

to achieving the entity-wide and activity-level objectives.

1.3.1. A mechanism is in place for identifying emerging information needs.

1.3.2. A long-range information technology plan has been developed and

linked with strategic initiatives.

1.4. Management's support for the development of necessary information systems

is demonstrated by the commitment of appropriate resources-human and financial.

1.4.1. Sufficient resources are provided.

2. COMMUNICATION

2.1. Communication is inherent in information processing. Communication alsotakes place in a broader sense, dealing with expectations and responsibilities

of individuals and groups. Effective communication must occur down, across

and up an organization and with parties external to the organization.

2.2. Effectiveness with which employees' duties and control responsibilities are

communicated.

2.2.1. Employees understand how their duties affect, and are affected by,

duties of other employees.


21/43

2.3. Establishment of channels of communication for people to report

suspected improprieties.

2.3.1. Anonymity is permitted

2.3.2. Employees actually use the communication channel.

2.3.3. Persons who report suspected improprieties are provided feedback,

and have immunity from reprisals.

2.4. Receptivity of management to employee suggestions of ways to enhance

productivity, quality or other similar improvements.

2.4.1. Management acknowledges good employee suggestions by

providing cash awards or other meaningful recognition.

2.4.2. Realistic mechanisms are in place for employees to provide recom-

mendations for improvement.

2.5. Adequacy of communication across the organization and the completeness

and timeliness of information and its sufficiency to enable people to discharge

their responsibilities effectively.

2.6. Openness and effectiveness of channels with customers, suppliers and other

external parties for communication information on changing customer needs.

2.6.1. Feedback mechanisms with all pertinent parties exist.

2.6.2. Suggestions, complaints and other input are captured and communicated

to relevant internal parties.

2.6.3. Information is reported upstream as necessary and follow-up action taken.

2.7. Extent to which outside parties have been made aware of the entity's

ethical standards.

2.7.1. Senior executive periodically explains in writing the entity's ethical

standards to outside parties.2.7.2. Suppliers, customers and others know the entity's standards and

expectations regarding actions in dealing with the entity.

2.7.3. Such standards are reinforced in routine dealings with outside parties.

2.8. Timely and appropriate follow-up action by management resulting from

communications received from customers, vendors, regulators or other

external parties.

2.8.1. Personnel are receptive to reported problems regarding products,

services or other matters, and such reports are investigated and acted upon.

2.8.2. Errors in customer billings are corrected, and the source of the error is

investigated and corrected.

2.8.3. Appropriate personnel-independent of those involved with the original

transaction-process complaints.

2.8.4. Top management is aware of the nature and volume of complaints.


22/43

CUMENTATION



23/43


24/43

MONITORING DOCUMEN

NO: POINTS OF FOCUS

1. ONGOING MONITORING

Ongoing monitoring occurs in the ordinary course of operations, and includes

regular management and supervisory activities, and other actions personnel

take in performing their duties that assess the quality of internal controlsystem performance.

1.1. Extent to which personnel, in carrying out their regular activities, obtain

evidence as to whether the system of internal control continues to function.

1.1.1. Operating management compares production, inventory, sales or other

information obtained in the course of their daily activities to systems-

generated information.

1.1.2. Integration or reconciliation of operating information used to manage

operations with data generated by the financial reporting system.

1.1.3. Operating personnel are required to "sign off" on the accuracy of their

unit's financial statements, and are held responsible if errors are discovered.

1.2. Extent to which communications from external parties corroborate internally

generated information, or indicate problems.

1.2.1. Customers implicitly corroborate billing data by paying their invoices,

or customer complaints about billings-indicating system deficiencies in

the processing of sales transaction-are investigated for their underlying

causes.

1.2.2. Communications from vendors and monthly statements of accounts payable

are used as a control monitoring technique.

1.2.3. Suppliers' complaints of unfair practices by purchasing agents are

fully investigated.

1.2.4. Regulators communicate information to the entity regarding compliance

or other matters that reflect on the functioning of the internal control

system.1.2.5. Controls that should have prevented or detected the problems are

reassessed.

1.3. Periodic comparison of amounts recorded by the accounting system with

physical assets.

1.3.1. Inventory levels are checked when goods are taken from inventory

storage for shipment, and differences between recorded and actual

amounts are corrected.

1.3.2. Securities held in trust are counted periodically and compared with

existing records.

1.4. Responsiveness to internal and external auditor recommendationson means to strengthen internal controls.

1.4.1. Executives with proper authority decide which of the auditors'

recommendation will be implemented.

1.4.2. Desired actions are followed up to verify implementation.

1.5. Extent to which training seminars, planning sessions and other meetings

provide feedback to management on whether controls operate effectively.

1.5.1. Relevant issues and questions raised at training seminars are captured.

1.5.2. Employee suggestions are communicated upstream and acted on as


25/43

appropriate.

1.6. Whether personnel are asked periodically to state whether they understand

and comply with the entity's code of conduct and regularly perform

critical control activities.

1.6.1. Personnel are required periodically to acknowledge compliance with

the code of conduct.

1.6.2. Signatures are required to evidence performance of critical control

functions, such as reconciling specified amounts.

1.7. Effectiveness of internal audit activities.

1.7.1. There are appropriate levels of competent and experienced staff.

1.7.2. Their position within the organization is appropriate.

1.7.3. They have access to the Director.

1.7.4. Their scope, responsibilities and audit plans are appropriate

to the organization's needs.

2. SEPARATE EVALUATIONS

It is useful to take a fresh look at the internal control system from time

to time, focusing directly on system effectiveness. The scope and frequency

of separate evaluations will depend primarily on an assessment of risks,

and ongoing monitoring procedures.

2.1. Scope and frequency of separate evaluations of the internal control systems.

2.1.1. Appropriate portions of the internal control system are evaluated.

2.1.2. The evaluations are conducted by personnel with the requisite skills.

2.1.3. The scope, depth of coverage and frequency are adequate.

2.2. Appropriateness of the evaluation process.2.2.1. The evaluator gains a sufficient understanding of the entity's activities.

2.2.2. An understanding is obtained of how the system is supposed to work

and how it actually does work.

2.2.3. An analysis is made, using the evaluation results as measured

against established criteria.

2.3. Whether the methodology for evaluating a system is logical and appropriate.

2.3.1. Such methodology includes checklists, questionnaires or other tools.

2.3.2. The evaluation team is brought together to plan the evaluation process

and ensure a coordinated effort.

2.3.3. The evaluation process is managed by an executive with

requisite authority.

3. REPORTING DEFICIENCIES

Internal control deficiencies should be reported upstream with certain

matters reported to top management and the board.

3.1. Existence of mechanism for capturing and reporting identified internal control

deficiencies.

3.1.1. From both internal sources and external sources.

3.1.2. Resulting from ongoing monitoring or separate evaluations.

3.2. Appropriateness of reporting protocols.


26/43

3.2.1. Deficiencies are reported to the person directly responsible for the

activity and to a person at least one level higher.

3.2.2. Specified types of deficiencies are reported to more senior management

and to the board.

3.3. Appropriateness of follow-up actions.

3.3.1. The transaction or event identified is corrected.

3.3.2. The underlying causes of the problem are investigated.

3.3.3. There is follow-up to ensure the necessary corrective action is taken.


27/43

TATION



28/43


29/43


30/43

CONTROL ENVIRONMENT DOCU

NO: POINTS OF FOCUS

1. INTEGRITY AND ETHICAL VALUES

1.1. Existence and implementation of codes of conduct and other policies regard-

ing acceptable business practice, conflicts of interest, or expected standards

of ethical and moral behavior.

1.1.1. Codes are periodically acknowledged by all employees.1.1.2. Employees understand what behavior is aceptable or unacceptable, and

know what to do if they encounter improper behavior.

1.2. Establishment of the "tone at the top" -including explicit moral guidance about

what is right and wrong.

1.2.1. Management appropriately deals with signs that problems exist, e.g.,

hazardous wastes, defective work, etc.

1.2.2. Commitment to integrity and ethics is communicated effectively throughout

the agency, both in words and deeds.

1.3. Appropriateness of remedial action taken in response to departures from

approved policies and procedures or violations of the code of conduct.1.3.1. Management responds to violations of behavioral standards.

1.3.2. Employees believe that if caught violating behavioral standards,

they'll suffer the consequences.

1.4. Managements attitude towards intervention or overriding established controls.

1.4.1. Manager override is explicitly prohibited.

1.4.2. Deviations from established policies are investigated and documented.

2. COMMITMENT TO COMPETENCE

2.1. Formal or informal job descriptions or other means of defining tasks that

comprise particular jobs.

2.2. Analysis of the knowledge and skills needed to perform jobs adequately.2.2.1. Evidence exists indicating that employees appear to have the

requisite knowledge and skills.

3. MANAGEMENT'S PHILOSOPHY AND OPERATING STYLE

3.1. Nature of business risks accepted, e.g., whether management often enters

into particularly high-risk ventures, or is extremely conservative in

accepting risks.

3.2. Personnel turnover in key functions.

3.2.1. There has been excessive turnover of mgmt or supervisory personnel.

3.2.2. There is a pattern to turnover.

3.3. Frequency of interaction between senior management and operating mgmt,

particularly when operating from geographically removed locations.

3.4. Attitudes and actions toward financial reporting, including disputes over

application of accounting treatments.

3.4.1. Estimates do not stretch facts to the edge of reasonableness and beyond.

4. ORGANIZATIONAL STRUCTURE

4.1. Appropriateness of the entity's organizational structure, and its ability to pro-


31/43

vide the necessary information flow to manage its activities.

4.1.1. The organizational structure is appropriately centralized or decentralized

given the nature of the entity's operations.

4.2. Adequacy of definition of key managers' responsibilities, and their under-

standing of these responsibilities.

4.2.1. Responsibilities and expectations are communicated clearly.

4.3. Adequacy of knowledge and experience of key managers in light of responsibilities.

4.3.1. Executives in charge have the required knowledge, experience and

training to perform their duties.

4.4. Appropriateness of reporting relationships.

4.5. Sufficient numbers of employees exist, particularly in management and

supervisory capacities.

4.5.1. Managers and supervisors have sufficient time to carry out their

responsibilities effectively.

4.5.2. Managers and supervisors work excessive overtime and are fulfilling

the responsibilities of more than one employee.

5. ASSIGNMENT OF AUTHORITY AND RESPONSIBILITY

5.1. Assignment of responsibility and delegation of authority to deal with organi-

zational goals and objectives, operating functions and regulatory requirements,

including responsibility for information systems and authorizations for changes.

5.1.1. Responsibility for decisions is related to assignment of authority and

responsibility.

5.2. Appropriateness of control-related standards and procedures, including

employee job descriptions.

5.2.1. Job descriptions exist.

5.2.2. They contain specific references to control related responsibilities.

5.3. Appropriate numbers of people, particularly with respect to data processing and

accounting functions, with the requisite skill levels relative to the size of the

entity and nature and complexity of activities and systems.

5.3.1. They have an adequate workforce to carry out mission.

5.4. Appropriateness of delegated authority in relation to assigned responsibilities.

5.4.1. Employees at the "right" level are empowered to correct problems or

implement improvements, and empowerment is accompanied by

appropriate levels of competence and clear boundaries of authority.

6. HUMAN RESOURCE POLICIES AND PRACTICES

6.1. Extent to which policies and procedures for hiring, training, promoting and

compensating employees are in place.

6.1.1. Level of attention given to recruiting and training the right people is

appropriate.

6.2. Extent to which people are made aware of their responsibilities and

expectations of them.

6.2.1. Supervisory personnel meet periodically with employees to review job

performance and suggestions for improvement.

6.3. Appropriateness of remedial action taken in response to departures


32/43

from approved policies and procedures.

6.3.1. Employees understand that ineffective performance will result in

remedial consequences.

6.4. Extent to which personnel policies address adherence to appropriate

ethical and moral standards.

6.4.1. Integrity and ethical values are criterion in performance appraisals.

6.5. Adequacy of employee candidate background checks, particularly

with regard to prior actions or activities considered to be unacceptable

by the entity.

6.5.1. Candidates with frequent job changes or gaps in employment history

are subjected to particularly close scrutiny.

6.6. Adequacy of employee retention and promotion criteria and information-

gathering techniques and relation to the code of conduct or other

behavioral guidelines.

6.6.1. Promotion and salary increase criteria are detailed clearly so that

individuals know what management expects prior to promotions or

advancement.


33/43

ENTATION



34/43


35/43


36/43

OVERALL INTERNAL CONTROL SYSTEM EVALUATION DO

NO: INTERNAL CONTROL COMPONENTS PRELIMINARY CONCLUSIONS

ACTIONS NEEDED

1. CONTROL ENVIRONMENT

1.1. Does management adequately convey the

message that integrity cannot be compromised?

1.2. Does a positive control environment exist,

whereby there is an attitude of control con-

sciousness throughout the organization, and a

positive "tone at the top"?

1.3. Is the competence of the entity's people com-

menusrate with their responsibilities?

1.4. Is management's operating style, the way it

assigns authority and responsibility, and organ-

izes and develops its people appropriate?

1.5. Does the Director provide the right level of

attention?

2. RISK ASSESSMENT

2.1. Are entity-wide objectives and supporting activity-

level objectives established and linked?

2.2. Are the internal and external risks that influence

the success or failure of the achievement

of the objectives identified and assessed?

2.3. Are mechanisms in place to identify changes af-

fecting the entity's ability to achieve its objectives?

2.4. Are policies and procedures modified as needed?

3. CONTROL ACTIVITIES

3.1. Are control activities in place to ensure adher-

ence to established policy and the carrying out

of actions to address the related risks?

3.2. Are there appropriate control activities for each

of the entity's activities?

4. INFORMATION AND COMMUNICATION

4.1. Are information systems in place to identify and

capture pertinent information-financial and non-

financial, relating to external and internal events-

and bring it to personnel in a form that enables


37/43

them to carry out their responsibilities?

4.2. Does communication of relevant information

take place?

4.3. Is it clear with respect to expectations and re-

sponsibilities of individuals and groups, and

reporting of results?

4.4. And does communication occur down, across

and upward in the entity, as well as between

the entity and other parties?

5. MONITORING

5.1. Are appropriate procedures in place to monitor on

an ongoing basis, or to periodically evaluate the

functioning of the other components of IC?

5.2. Are deficiencies reported to the right people?

5.3. Are policies and procedures modified as needed?


38/43

UMENTATION

ADDITIONAL

CONSIDERATIONS


39/43


40/43

End of Period Financial Statements

Process Control Objective Risk Control Considerations P/D

Assertion

E,A,C,V,PThe following functions should be segregated: E,A,C,V,P

Authorization of transactions

Execution of transactions

Recording of transactions

Reconciliations

Consolidations

Maintenance of master files & tables

Access rules adequately support segregation of duties.

New general ledger accounts are approved before entry

into the system.

P E,A,C

Changes to tables are authorized before entry into the

system.

P E,A

Edits and validation procedures prevent invalid data from

entering the system.

P C,A

System reports of changes to master file/tables are

independently verified to the source documents.

D A

Master file/table

data does not

remain accurate

Master File/Table data is periodically reviewed by

management.

D A

AREAS TO CONSIDER:

Foreign currency

Investments

Allowance for doubtful accounts

Asset impairment

Depreciation of assets

Amortization of pre-paids and intangibles

Warranty reserves

Pension and OPEB liabilities

LIFO or lower of cost or market calculations

Accruals

Income taxes (current and deferred)

Transactions are reviewed (including assumptions for

transaction calculations) and properly authorized prior to

entry into the system.

E,A,V

Asset /

Liability

Estimations

and

Valuations

Estimations and

valuations are recorded

accurately, completely

and on a timely basis.

Assets and

liabilities may not

be properly stated

Master File

Maintenance

Changes to the general

ledger/ consolidation

master files and relatedtables, or similar tools,

are properly

authorized, accurate

and recorded timely

Unauthorized

additions/changes

can be made to themaster files/tables

Audit Area

Segregation

of Duties

Accounting functions

are properly

segregated.

Unauthorized and

inaccurate

transactions may

be recorded

Page 40 of 43


41/43


Assertion

E,A,C,V,P D

Supporting schedules are reconciled to the general ledger. E,A,C

Entries/account balances are reviewed against: budgets,

source documents, other metrics and reports and

compliance with GAAP.

E,A,C,V

FOR FOREIGN EXCHANGE

Rates used for translation of both foreign currency

transactions and balances are compared to published rates.A

FOR DEPRECIATION AND AMORTIZATION

The system automatically calculates the expense and posts

to the proper ledgers.A

Edit checks exist to prevent depreciation/amortization in

excess of the original value of the asset.A

Accounting department is notified of and considers

acquisitions, transfers, sales and abandonments of assets in

computing depreciation/amortization.

A

FOR INCOME TAXES

Details of sources of tax information are prepared,

updated, and compared to items recorded during the

accounting period prior to period end to determine

whether all events and transactions with significant tax

consequences and book-to-tax differences have been

identified and accounted for.

C,A

Calculation of the tax provision and changes to the

deferred tax accounts and any valuation allowances are

performed by knowledgeable personnel on a timely basis

and are independently reviewed.

C,E,A,V

The tax provision and deferred tax accounts are reconciled

to the tax return on a timely basis.

C,E,A

Only appropriate and authorized people can transfer data

to the general ledger.

C,E,ATransfers

from Sub-

ledgers

Transfer entries from

other systems are

accurate, complete and

The general ledger

may not be

accurate and

Page 41 of 43


42/43


Assertion

E,A,C,V,P

All sub-ledger totals by account are compared to the

general ledger system.

C,E,A

The completed general ledger closing checklist is reviewed

by management.

C,E,A

The prior periods closing balance is reconciled to the

current periods opening balance.

C,E,A

All reconciliations are reviewed by management. C,E,A

Management reviews all suspense accounts and resolves

all items before the close.

C,E,A

Reconciliations of all inter-company accounts are

performed and reviewed by management.

C,E,A

The completed consolidation checklist is reviewed by

management.

C,E,A

The financial statements in the consolidation package are

reconciled to the trial balances from each entitys general

ledger, including any post-closing (top-side) adjustments.

C,E,A

All consolidating and eliminating entries are reviewed by

management.

C,E,A,V

All top-side entries are properly authorized. E,V

Only authorized and appropriate individuals can post top-

side entries.

E,V

Adequate audit trails exist for all top-side entries. E,A,V

Top-side entries are compared to source documents after

they are entered into the system or otherwise reviewed by

management.

C,E,A,V

Management has established and documented a process for

preparing and reviewing financial statements based on the

accumulation of the relevant data from throughout the

company.

C,E,A,V,PPreparation

of the

Financial

Statements

Financial statements

are prepared accurately

and timely.

Financial

statements may be

misstated

Consolida-

tions

Corporate

consolidations are

complete and accurate.

Corporate

consolidations are

inaccurate

Unauthorized top-

side entries can be

made

General

Ledger Close

All valid entries are

updated to the

appropriate accounts

prior to period-end

closing.

All entries may not

be reflected

properly in the

general ledger.

Inter-

company

Accounts

Inter-company

accounts are recorded

completely, accurately

and in a timely manner.

Inter-company

accounts may not

be properly

eliminated

basis.

.

Page 42 of 43


43/43


Assertion

E,A,C,V,P D

Applicability of new accounting pronouncements is

considered, documented, and communicated to appropriate

personnel throughout the company.

C,E,A,V.P

Financial statement account groupings are prepared

consistently with prior periods, and are reviewed by

management.

C,E,A,V,P

Financial statements are independently reconciled to the

appropriate supporting schedules.

C,E,A

Financial statements are tested for clerical accuracy. A

The completed disclosure checklist is reviewed by

management.

P

Management and the board of directors review and

approve the financial statements, including the related

footnotes.

C,E,A,V,P

The footnotes are reconciled to supporting documentation. C,E,A

Final

Financial

Statements

and

Disclosures

All necessary contents

and disclosures are

included in the

financial statements.

Contents or format

of financial

statements may be

incorrect or

missing

disclosures.

Documents

155289907A-133 Compliance Internal Control Tool