Standards for Internal Control in New York State Government

1
Standards for Internal Control in New York State
Government

• Alan G. Hevesi
• Comptroller
• December 2005

2
A Message from Comptroller Alan G. Hevesi
3
Team Responsible for Updating the Standards

• ? John Buyce
• ? Laurel Jolliffe
• ? Bernie McHugh
• ? Mary Peck
• ? Steve Hillerman

4
Purpose of Updates

• To make clarifications where necessary
• To make more concise and eliminate redundancy
• To expand on those areas where we feel a greater
  emphasis is necessary
• To update for current terminology
• To identify any additional elements of control we
  determined were critical to add

5
TABLE OF CONTENTS

• ? Introduction
• ? Part I New York States Internal Control
  Framework
• - Definition of Internal Control
• - Four Purposes of Internal Control
• - Organizational Roles

6

• ? Part II Five Components of Internal
  Control
• - Control Environment
• Governance
• The influence on an organization exercised
  by the executive body of Chief Executive

7
- Control Environment (continued)

• Critical Areas of Influence
• - Approving and Monitoring the Organizations
  Mission and Strategic Plan
• - Establishing, Practicing and Monitoring
  the Organizations Values and Ethical Codes
• - Overseeing the Decisions and Actions of
  Senior Managers

8
- Control Environment (continued)

• Critical Areas of Influence (continued)
• - Establishing the High Level Policy and
  Organization Structure
• - Ensuring and Providing Accountability to
  Stakeholders
• - Establishing the Overall Management Style,
  Philosophy and Tone
• - Directing Management Oversight of Key
  Business Processes

9
- Control Environment (continued)

• - Ethical Values and Integrity
• - Management Operating Style and Philosophy
• - Competence
• - Morale
• - Supportive Attitude
• - Mission
• - Structure

10
? Part II Five Components of Internal Control
(continued)

• - Communication
• - Assessing and Managing Risk
• - Preparing to Assess Risk
• - Risk Assessment Process
• - Managing Risk
• - Preventing or Reducing Risk
• - Managing Risk During Change

11
? Part II Five Components of Internal Control
(continued)

• - Control Activities
• - Documentation
• - Approval and Authorization
• - Verification
• - Supervision
• - Separation of Duties
• - Safeguarding Assets
• - Reporting

12
? Part II Five Components of Internal Control
(continued)

• Control Activities (continued)
• - Control Activities for Information Technology
• - Increased Emphasis on Responsibility of
  non-IT employees using computers in their work,
  including the use of
• - Encryption to protect confidential of
  sensitive information
• - Back-up and Restore features to Reduce
  Risk of Loss of Data

13
? Part II Five Components of Internal Control
(continued)

• - Virus Protection Software
• - Passwords that Restrict User Access to
  Networks, Data and Applications
• - General Controls Now Focus on Six Major
  General Control Activities
• - Organization-Wide Security Management
  Program

14
? Part II Five Components of Internal Control
(continued)

• - General Controls Now Focus on Six Major
  General Control Activities
• - Access Security Controls
• - Restrictions on User Access
• - Software and Hardware Firewalls
• - Required Password Changes / Deactivation
• - Application Software and Change Control
• - System Documentation
• - Authorizations for I/T Projects
• - Reviewing, Testing and Approving
  Development and Modification Activities

15
? Part II Five Components of Internal Control
(continued)

• - General Controls Now Focus on Six Major
  General Control Activities
• - System Software Control
• - Security Procedures Over Acquisition,
  Implementation and Maintenance of System
  Software, Database Manage- ment Systems,
  Tele- communications, Security Software
  and Utility Programs

16
? Part II Five Components of Internal Control
(continued)

• - General Controls Now Focus on Six Major
  General Control Activities
• - Segregation of Duties Continue to
  Emphasize the Importance of Segregation in
  IT Environment
• - Service Continuity Disaster Recovery
• - Off-Site Storage of Back-up Data
• - Environmental Controls
• - Staff Training
• - Hardware Maintenance and Management
• - Periodic Testing of Contingency Plans

17
? Part II Five Components of Internal Control
(continued)

• - Application Controls
• - Input Controls
• - Processing Controls
• - Output Controls

18
? Part II Five Components of Internal Control
(continued)

• - Control Activities (continued)
• - Monitoring (continued)
• - Staff
• - Supervisors
• - Mid-Level Managers
• - Executive Management
• - Control Activities
• - Mission
• - Control Environment
• - Communication
• - Risks and Opportunities

19
? Part III Supporting Activities

• - Evaluation
• - Strategic Planning
• - Objectives
• - Goals
• - Operational Plans
• - Assessable Units

20
Appendix

• Internal Control Reference Sources
• NYS Internal Control Act
• Standards for Internal Control in NYS Government
• Internal Control Integrated Framework (COSO)
• Governmental Internal Control and Internal Audit
  Requirements NYS Division of the Budget
• Association of Government Accounts (AGA)
• Control Objectives for Information and Related
  Technology (COBIT)
• GAO Standards for Internal Control in the Federal
  Government
• GAO Internal Control Management and Evaluation
  Tool
• Guidance on Control The Canadian Institute of
  Chartered Accountants (COCO)
• Institute of Internal Auditors (IIA)
• NYS Office of Cyber Security Critical
  Infrastructure Coordination
• NYS Office of Technology
• NYS Internal Control Association (NYSICA)
• OMB A-123 Management Accountability and Control
• Public Company Accounting Oversight Board (PCAOB)
• Special Publications The National Institute for
  Standards and Technology (NIST)

• Internal Control Reference Sources
• NYS Internal Control Act
• Standards for Internal Control in NYS Government
• Internal Control Integrated Framework (COSO)
• Governmental Internal Control and Internal Audit
  Requirements NYS Division of the Budget
• Association of Government Accounts (AGA)
• Control Objectives for Information and Related
  Technology (COBIT)
• GAO Standards for Internal Control in the Federal
  Government
• GAO Internal Control Management and Evaluation
  Tool
• Guidance on Control The Canadian Institute of
  Chartered Accountants (COCO)
• Institute of Internal Auditors (IIA)
• NYS Office of Cyber Security Critical
  Infrastructure Coordination
• NYS Office of Technology
• NYS Internal Control Association (NYSICA)
• OMB A-123 Management Accountability and Control
• Public Company Accounting Oversight Board (PCAOB)
• Special Publications The National Institute for
  Standards and Technology (NIST)
• Active links can be found at URL below first
  click Slide Show From Current Slide (bottom
  left corner), then click link