E N D
1. Standards for Internal Control in New York State Government
Alan G. Hevesi
Comptroller
December 2005
2. A Message from Comptroller Alan G. Hevesi
3. Team Responsible for Updating the Standards:
? John Buyce
? Laurel Jolliffe
? Bernie McHugh
? Mary Peck
? Steve Hillerman
4. Purpose of Updates: To make clarifications where necessary
To make more concise and eliminate redundancy
To expand on those areas where we feel a greater emphasis is necessary
To update for current terminology
To identify any additional elements of control we determined were critical to add
5. TABLE OF CONTENTS
? Introduction
? Part I: New York State’s Internal Control Framework
- Definition of Internal Control
- Four Purposes of Internal Control
- Organizational Roles
6. ? Part II: Five Components of Internal Control
- Control Environment
Governance:
The influence on an organization exercised by the executive body of Chief Executive
7. - Control Environment (continued) Critical Areas of Influence:
- Approving and Monitoring the Organization’s Mission and Strategic Plan
- Establishing, Practicing and Monitoring the Organization’s Values and Ethical Codes
- Overseeing the Decisions and Actions of Senior Managers
8. - Control Environment (continued) Critical Areas of Influence (continued):
- Establishing the High Level Policy and Organization Structure
- Ensuring and Providing Accountability to Stakeholders
- Establishing the Overall Management Style, Philosophy and Tone
- Directing Management Oversight of Key Business Processes
9. - Control Environment (continued): - Ethical Values and Integrity
- Management Operating Style and Philosophy
- Competence
- Morale
- Supportive Attitude
- Mission
- Structure
10. - Communication
- Assessing and Managing Risk
- Preparing to Assess Risk
- Risk Assessment Process
- Managing Risk
- Preventing or Reducing Risk
- Managing Risk During Change
? Part II: Five Components of Internal Control (continued):
11. ? Part II: Five Components of Internal Control (continued): - Control Activities
- Documentation
- Approval and Authorization
- Verification
- Supervision
- Separation of Duties
- Safeguarding Assets
- Reporting
12. ? Part II: Five Components of Internal Control (continued): Control Activities (continued):
- Control Activities for Information Technology
- Increased Emphasis on Responsibility of non-IT employees using computers in their work, including the use of:
- Encryption to protect confidential of sensitive information
- Back-up and Restore features to Reduce Risk of Loss of Data
13. ? Part II: Five Components of Internal Control (continued): - Virus Protection Software
- Passwords that Restrict User Access to Networks, Data and Applications
- General Controls – Now Focus on Six Major General Control Activities
- Organization-Wide Security Management Program
14. ? Part II: Five Components of Internal Control (continued): - General Controls – Now Focus on Six Major General Control Activities
- Access Security Controls
- Restrictions on User Access
- Software and Hardware Firewalls
- Required Password Changes / Deactivation
- Application Software and Change Control
- System Documentation
- Authorizations for I/T Projects
- Reviewing, Testing and Approving Development and Modification Activities
15. ? Part II: Five Components of Internal Control (continued): - General Controls – Now Focus on Six Major General Control Activities
- System Software Control
- Security Procedures Over Acquisition, Implementation and Maintenance of System Software, Database Manage- ment Systems, Tele- communications, Security Software and Utility Programs
16. ? Part II: Five Components of Internal Control (continued): - General Controls – Now Focus on Six Major General Control Activities
- Segregation of Duties – Continue to Emphasize the Importance of Segregation in IT Environment
- Service Continuity – Disaster Recovery
- Off-Site Storage of Back-up Data
- Environmental Controls
- Staff Training
- Hardware Maintenance and Management
- Periodic Testing of Contingency Plans
17. ? Part II: Five Components of Internal Control (continued): - Application Controls
- Input Controls
- Processing Controls
- Output Controls
18. ? Part II: Five Components of Internal Control (continued): - Control Activities (continued):
- Monitoring (continued):
- Staff
- Supervisors
- Mid-Level Managers
- Executive Management
- Control Activities
- Mission
- Control Environment
- Communication
- Risks and Opportunities
19. ? Part III: Supporting Activities: - Evaluation
- Strategic Planning
- Objectives
- Goals
- Operational Plans
- Assessable Units
20. Appendix Internal Control Reference Sources
NYS Internal Control Act
Standards for Internal Control in NYS Government
Internal Control – Integrated Framework (COSO)
Governmental Internal Control and Internal Audit Requirements – NYS Division of the Budget
Association of Government Accounts (AGA)
Control Objectives for Information and Related Technology (COBIT)
GAO Standards for Internal Control in the Federal Government
GAO Internal Control Management and Evaluation Tool
Guidance on Control – The Canadian Institute of Chartered Accountants (COCO)
Institute of Internal Auditors (IIA)
NYS Office of Cyber Security & Critical Infrastructure Coordination
NYS Office of Technology
NYS Internal Control Association (NYSICA)
OMB A-123 Management Accountability and Control
Public Company Accounting Oversight Board (PCAOB)
Special Publications – The National Institute for Standards and Technology (NIST)