Standards for Internal Control in New York State Government

1. Standards for Internal Control in New York State Government Alan G. Hevesi Comptroller December 2005

2. A Message from Comptroller Alan G. Hevesi

3. Team Responsible for Updating the Standards: ? John Buyce ? Laurel Jolliffe ? Bernie McHugh ? Mary Peck ? Steve Hillerman

4. Purpose of Updates: To make clarifications where necessary To make more concise and eliminate redundancy To expand on those areas where we feel a greater emphasis is necessary To update for current terminology To identify any additional elements of control we determined were critical to add

5. TABLE OF CONTENTS ? Introduction ? Part I: New York State’s Internal Control Framework - Definition of Internal Control - Four Purposes of Internal Control - Organizational Roles

6. ? Part II: Five Components of Internal Control  - Control Environment Governance: The influence on an organization exercised by the executive body of Chief Executive

7. - Control Environment (continued) Critical Areas of Influence: - Approving and Monitoring the Organization’s Mission and Strategic Plan - Establishing, Practicing and Monitoring the Organization’s Values and Ethical Codes - Overseeing the Decisions and Actions of Senior Managers

8. - Control Environment (continued) Critical Areas of Influence (continued): - Establishing the High Level Policy and Organization Structure - Ensuring and Providing Accountability to Stakeholders - Establishing the Overall Management Style, Philosophy and Tone - Directing Management Oversight of Key Business Processes

9. - Control Environment (continued): - Ethical Values and Integrity - Management Operating Style and Philosophy - Competence - Morale - Supportive Attitude - Mission - Structure

10. - Communication - Assessing and Managing Risk - Preparing to Assess Risk - Risk Assessment Process - Managing Risk - Preventing or Reducing Risk - Managing Risk During Change ? Part II: Five Components of Internal Control (continued):

11. ? Part II: Five Components of Internal Control (continued): - Control Activities - Documentation - Approval and Authorization - Verification - Supervision - Separation of Duties - Safeguarding Assets - Reporting

12. ? Part II: Five Components of Internal Control (continued): Control Activities (continued): - Control Activities for Information Technology - Increased Emphasis on Responsibility of non-IT employees using computers in their work, including the use of: - Encryption to protect confidential of sensitive information - Back-up and Restore features to Reduce Risk of Loss of Data

13. ? Part II: Five Components of Internal Control (continued): - Virus Protection Software - Passwords that Restrict User Access to Networks, Data and Applications - General Controls – Now Focus on Six Major General Control Activities - Organization-Wide Security Management Program

14. ? Part II: Five Components of Internal Control (continued): - General Controls – Now Focus on Six Major General Control Activities - Access Security Controls - Restrictions on User Access - Software and Hardware Firewalls - Required Password Changes / Deactivation - Application Software and Change Control - System Documentation - Authorizations for I/T Projects - Reviewing, Testing and Approving Development and Modification Activities

15. ? Part II: Five Components of Internal Control (continued): - General Controls – Now Focus on Six Major General Control Activities - System Software Control - Security Procedures Over Acquisition, Implementation and Maintenance of System Software, Database Manage- ment Systems, Tele- communications, Security Software and Utility Programs

16. ? Part II: Five Components of Internal Control (continued): - General Controls – Now Focus on Six Major General Control Activities - Segregation of Duties – Continue to Emphasize the Importance of Segregation in IT Environment - Service Continuity – Disaster Recovery - Off-Site Storage of Back-up Data - Environmental Controls - Staff Training - Hardware Maintenance and Management - Periodic Testing of Contingency Plans

17. ? Part II: Five Components of Internal Control (continued): - Application Controls - Input Controls - Processing Controls - Output Controls

18. ? Part II: Five Components of Internal Control (continued): - Control Activities (continued): - Monitoring (continued): - Staff - Supervisors - Mid-Level Managers - Executive Management - Control Activities - Mission - Control Environment - Communication - Risks and Opportunities

19. ? Part III: Supporting Activities: - Evaluation - Strategic Planning - Objectives - Goals - Operational Plans - Assessable Units

20. Appendix Internal Control Reference Sources NYS Internal Control Act Standards for Internal Control in NYS Government Internal Control – Integrated Framework (COSO) Governmental Internal Control and Internal Audit Requirements – NYS Division of the Budget Association of Government Accounts (AGA) Control Objectives for Information and Related Technology (COBIT) GAO Standards for Internal Control in the Federal Government GAO Internal Control Management and Evaluation Tool Guidance on Control – The Canadian Institute of Chartered Accountants (COCO) Institute of Internal Auditors (IIA) NYS Office of Cyber Security & Critical Infrastructure Coordination NYS Office of Technology NYS Internal Control Association (NYSICA) OMB A-123 Management Accountability and Control Public Company Accounting Oversight Board (PCAOB) Special Publications – The National Institute for Standards and Technology (NIST)