Internal Control Environment

Printer-friendly version
Type: 
Best Practice
Background: 

In its Establishing a Comprehensive Framework for Internal Control (Framework) best practice, GFOA recommended that state, provincial, and local governments adopt the Committee of Sponsoring Organizations’ (COSO) Internal Control—Integrated Framework (2013) as their conceptual basis for designing, implementing, operating, and evaluating internal control so as to provide reasonable assurance that they are achieving their operational, reporting, and compliance objectives. To support governments’ efforts in this area, GFOA is developing best practices that explain how to implement each of the five components of that framework. This best practice focuses on the first of those five components, the control environment, which the COSO has defined as a set of standards, processes, and structures that provide the basis for carrying out internal control.

Recommendation: 

GFOA recommends that governments do all of the following to establish a strong internal control environment:

  1. The governing body,1 upper level management, and all levels of staff throughout the organization should demonstrate a commitment to the framework, as follows:Officially adopt the framework (governing body);
    1. Adopt a policy to incorporate the implementation, maintenance, and updating of the framework into the government’s strategic goals (governing body);
    2. Develop standards of conduct for employees and provide training on those standards;
    3. Require management and employees to sign a statement that they will follow the standards of conduct and to reaffirm that commitment periodically; and
    4. Include compliance with standards of conduct as part of employee evaluations to ensure accountability.
  2. The governing body should assume responsibility for overseeing internal control by:
    1. Actively overseeing management’s development and implementation of the framework;
    2. Actively monitoring the performance of the framework;
    3. Obtaining training about the nature and purpose of internal control sufficient to allow members of the governing body to meaningfully perform their oversight function with the assistance of an expert;
    4. Obtaining expert advice, independent of management, to help it perform its oversight function if no member of the audit committee possesses that expertise;
    5. Establishing an audit committee made up of members of the governing body;
    6. Documenting that it has reviewed the framework and its updates;
    7. Approving significant control-related policies; and
    8. Determining how often policies and procedures need to be reviewed, reaffirmed, and updated.
  3. Management should develop organizational structures and ensure staff accountability by:
    1. Creating a formal organizational chart for both the government as a whole and for each of its departments;
    2. Requiring written procedures for important government processes (for example, payroll);
    3. Developing flowcharts of each significant process;
    4. Maintaining electronic copies of process flowcharts to facilitate updating;
    5. Identifying responsibilities for workflow approvals in their systems; and
    6. Making sure systems incorporate compensating controls.
  4. Governments should commit to attracting and retaining competent employees by:
    1. Developing comprehensive job descriptions;      
    2. Ensuring that hiring panels include experts in the desired skill sets;
    3. Providing opportunities for employees to gain continuing professional education to stay current in their field;
    4. Encouraging membership in professional organizations to develop networking;
    5. Supporting the development of succession planning;
    6. Cross-training staff;
    7. Thoroughly documenting the responsibilities of each position and appropriate processes for succession planning;
    8. Providing managerial training, in addition to technical training, for staff members who will be promoted;
    9. Requiring that supervisors give staff members hands-on training on key responsibilities; and
    10. Developing an ongoing mentoring program to enhance employees’ skills.
  5. Governments should hold individuals accountable for their internal control responsibilities by:
    1. Preparing comprehensive, fact-based performance appraisals;
    2. Providing performance appraisals on a timely basis;
    3. Taking disciplinary action if conduct is not consistent with expected performance;
    4. Including internal control goals as part of employee performance reviews;
    5. Identifying zero-tolerance policies (e.g., theft) and adhering to them; and
    6. Ensuring that union agreements clearly delineate responsibilities up front.
Committee: 
Accounting, Auditing, and Financial Reporting
Notes: 
  1. If the governing body is elected, rather than appointed, the term governing body would apply to both members of the governing body and the elected officials to whom they report.

 

This best practice was previously titled Framework for Internal Control: The Control Environment.

Approved by GFOA's Executive Board: 
January 2016