Title: Standards for Internal Control in New York State Government
1Standards for Internal Control in New York State
Government
- Alan G. Hevesi
- Comptroller
- December 2005
2A Message from Comptroller Alan G. Hevesi
3Team Responsible for Updating the Standards
-
- ? John Buyce
- ? Laurel Jolliffe
- ? Bernie McHugh
- ? Mary Peck
- ? Steve Hillerman
4Purpose of Updates
- To make clarifications where necessary
- To make more concise and eliminate redundancy
- To expand on those areas where we feel a greater
emphasis is necessary - To update for current terminology
- To identify any additional elements of control we
determined were critical to add
5TABLE OF CONTENTS
-
-
- ? Introduction
- ? Part I New York States Internal Control
Framework - - Definition of Internal Control
- - Four Purposes of Internal Control
- - Organizational Roles
-
6- ? Part II Five Components of Internal
Control -
- - Control Environment
- Governance
- The influence on an organization exercised
by the executive body of Chief Executive -
7- Control Environment (continued)
- Critical Areas of Influence
- - Approving and Monitoring the Organizations
Mission and Strategic Plan - - Establishing, Practicing and Monitoring
the Organizations Values and Ethical Codes - - Overseeing the Decisions and Actions of
Senior Managers
8- Control Environment (continued)
- Critical Areas of Influence (continued)
- - Establishing the High Level Policy and
Organization Structure - - Ensuring and Providing Accountability to
Stakeholders - - Establishing the Overall Management Style,
Philosophy and Tone - - Directing Management Oversight of Key
Business Processes
9- Control Environment (continued)
- - Ethical Values and Integrity
- - Management Operating Style and Philosophy
- - Competence
- - Morale
- - Supportive Attitude
- - Mission
- - Structure
10? Part II Five Components of Internal Control
(continued)
- - Communication
- - Assessing and Managing Risk
- - Preparing to Assess Risk
- - Risk Assessment Process
- - Managing Risk
- - Preventing or Reducing Risk
- - Managing Risk During Change
-
11? Part II Five Components of Internal Control
(continued)
- - Control Activities
- - Documentation
- - Approval and Authorization
- - Verification
- - Supervision
- - Separation of Duties
- - Safeguarding Assets
- - Reporting
12? Part II Five Components of Internal Control
(continued)
- Control Activities (continued)
- - Control Activities for Information Technology
- - Increased Emphasis on Responsibility of
non-IT employees using computers in their work,
including the use of - - Encryption to protect confidential of
sensitive information - - Back-up and Restore features to Reduce
Risk of Loss of Data
13? Part II Five Components of Internal Control
(continued)
- - Virus Protection Software
- - Passwords that Restrict User Access to
Networks, Data and Applications - - General Controls Now Focus on Six Major
General Control Activities - - Organization-Wide Security Management
Program
14? Part II Five Components of Internal Control
(continued)
- - General Controls Now Focus on Six Major
General Control Activities - - Access Security Controls
- - Restrictions on User Access
- - Software and Hardware Firewalls
- - Required Password Changes / Deactivation
- - Application Software and Change Control
- - System Documentation
- - Authorizations for I/T Projects
- - Reviewing, Testing and Approving
Development and Modification Activities
15? Part II Five Components of Internal Control
(continued)
- - General Controls Now Focus on Six Major
General Control Activities - - System Software Control
- - Security Procedures Over Acquisition,
Implementation and Maintenance of System
Software, Database Manage- ment Systems,
Tele- communications, Security Software
and Utility Programs -
16? Part II Five Components of Internal Control
(continued)
- - General Controls Now Focus on Six Major
General Control Activities - - Segregation of Duties Continue to
Emphasize the Importance of Segregation in
IT Environment - - Service Continuity Disaster Recovery
- - Off-Site Storage of Back-up Data
- - Environmental Controls
- - Staff Training
- - Hardware Maintenance and Management
- - Periodic Testing of Contingency Plans
-
17? Part II Five Components of Internal Control
(continued)
- - Application Controls
- - Input Controls
- - Processing Controls
- - Output Controls
-
-
18? Part II Five Components of Internal Control
(continued)
- - Control Activities (continued)
- - Monitoring (continued)
- - Staff
- - Supervisors
- - Mid-Level Managers
- - Executive Management
- - Control Activities
- - Mission
- - Control Environment
- - Communication
- - Risks and Opportunities
19? Part III Supporting Activities
- - Evaluation
- - Strategic Planning
- - Objectives
- - Goals
- - Operational Plans
- - Assessable Units
20Appendix
- Internal Control Reference Sources
- NYS Internal Control Act
- Standards for Internal Control in NYS Government
- Internal Control Integrated Framework (COSO)
- Governmental Internal Control and Internal Audit
Requirements NYS Division of the Budget - Association of Government Accounts (AGA)
- Control Objectives for Information and Related
Technology (COBIT) - GAO Standards for Internal Control in the Federal
Government - GAO Internal Control Management and Evaluation
Tool - Guidance on Control The Canadian Institute of
Chartered Accountants (COCO) - Institute of Internal Auditors (IIA)
- NYS Office of Cyber Security Critical
Infrastructure Coordination - NYS Office of Technology
- NYS Internal Control Association (NYSICA)
- OMB A-123 Management Accountability and Control
- Public Company Accounting Oversight Board (PCAOB)
- Special Publications The National Institute for
Standards and Technology (NIST) -
- Internal Control Reference Sources
- NYS Internal Control Act
- Standards for Internal Control in NYS Government
- Internal Control Integrated Framework (COSO)
- Governmental Internal Control and Internal Audit
Requirements NYS Division of the Budget - Association of Government Accounts (AGA)
- Control Objectives for Information and Related
Technology (COBIT) - GAO Standards for Internal Control in the Federal
Government - GAO Internal Control Management and Evaluation
Tool - Guidance on Control The Canadian Institute of
Chartered Accountants (COCO) - Institute of Internal Auditors (IIA)
- NYS Office of Cyber Security Critical
Infrastructure Coordination - NYS Office of Technology
- NYS Internal Control Association (NYSICA)
- OMB A-123 Management Accountability and Control
- Public Company Accounting Oversight Board (PCAOB)
- Special Publications The National Institute for
Standards and Technology (NIST) - Active links can be found at URL below first
click Slide Show From Current Slide (bottom
left corner), then click link