OF MANAGEMENT AND BUDGET
INTERNAL CONTROL REPORTING
OF ADMINISTRATION AND CHIEF FISCAL OFFICERS
CONTACT: JOHN DITRI
This Circular Letter
supersedes Circular Letter 98-02-OMB. The most significant change is the
requirement that all state executive agencies use Treasury's Internal
Control Questionnaire to perform their annual assessment of internal controls.
See the section entitled Assessment of Internal Controls.
The Director of
Budget and Accounting has the statutory authority (N.J.S.A.52:27B-37)
".to examine, audit and adjust all encumbrances and statements of indebtedness
In the interest
of a more effective State government, the Office of Management and Budget
(OMB) had delegated the pre-audit of payments for goods, services and
travel to State agencies. Along with this authority comes a heightened
responsibility for the State agencies to maintain effective internal controls.
The purpose of this
circular is to require an annual self-assessment of internal controls
by State executive branch agencies. This self assessment will help managers
evaluate internal controls and identify possible deficiencies within their
areas of responsibility. Such an effort will lead to the implementation
of more effective controls before problems arise.
The final product
of this process, an internal control self-assessment report signed by
the agency head and chief financial officer, is to be submitted to the
Director of the Office of Management and Budget on or before July 1, annually.
In addition to establishing
the annual agency self-assessment of internal controls, this circular:
- Defines internal
- Establishes responsibility
for maintaining effective internal controls, and
- Describes the
activities to be undertaken by OMB to ensure that State executive agencies
comply with this Circular Letter.
is defined as a process, effected by the entity's management and other
personnel, designed to provide reasonable assurance regarding the achievement
of objectives in the following categories:
and efficiency of operations,
- Reliability of
financial reporting, and
- Compliance with
applicable laws and regulations.
are established by management, it must also establish a process that encourages
employees to follow and meet the established objectives. Thus, a critical
part of the success of the internal control process is the following five
- It sets the tone of an organization, which influences the control consciousness
of its employees. The control environment is the foundation for all other
components of internal control because it provides discipline and structure.
factors include the people of the organization; management's philosophy
and operating style; the way management assigns authority and responsibility,
and organizes and develops its people.
- Risk assessment is the process that the entity must conduct to identify
and assess any relevant risk to its objectives. Once this is done, management
must determine how the risks should be managed.
The entity must
be aware of and deal with the risks it faces. It must set objectives,
which are integrated with the program, financial, and other activities
so that the organization is operating in concert. It also must establish
mechanisms to identify, analyze, and manage the related risks.
- Control activities are the policies and procedures that help ensure
that management directives are carried out.
help ensure that the necessary actions are taken to address risks to the
achievement of the entity's objectives. Control activities occur throughout
the organization and include such things as approvals, authorizations,
verifications, reconciliations, reviews of operating performance, security
of assets, and segregation of duties.
Communication - These two key elements help management carry out its
responsibilities. Management must establish a timely and effective process
for relaying information.
internal control activities are information and communications systems.
These enable the entity's people to capture and exchange the information
needed to conduct, manage, and control its operations. Effective communication
must flow down, across, and up the organization as well as to external
parties. All personnel within an entity must receive a clear message from
top management that control responsibilities must be taken seriously.
They must understand their own role in the internal control system and
how individual activities relate to the work of others.
- Monitoring is a process that an entity uses to assess the quality of
its internal control performance over time.
includes regular management and supervisory activities and other actions
taken in the course of daily operations. Any internal control deficiencies
should be reported upstream, with serious matters reported to top management.
FOR MAINTAINING EFFECTIVE INTERNAL CONTROLS
Agency heads are
responsible for adhering to the statewide internal control policies and
adapting them to their agencies' objectives. This helps to ensure a positive
control environment and conveys high ethical standards to agency managers.
Division heads are
responsible for aligning division objectives with agency policy. Division
objectives guide the development and implementation of internal control
policies and procedures and ensure consistency with overall agency objectives
and the strategic plan. Division heads assign specific responsibility
for internal control to program administrators who have a hands-on role
in devising and executing internal control policies.
play a particularly significant role in the implementation of financial
internal controls. They track and analyze agency performance from a financial
perspective. Financial officers are important in preventing and detecting
fraudulent reporting. According to the 1992 Treadway Commission report,
financial officers have the responsibility to:
- Help set the
tone of ethical conduct,
- Design, implement,
and monitor the financial reporting system
- Identify unusual
situations caused by fraudulent financial reporting,
- Help establish
agency financial objectives, and
- Help analyze financial
activities are explicit or implicit in the duties of every staff member
including the following:
- Delivering services
to the public,
- Maintaining financial
- Inspecting and
maintaining physical assets.
In addition, each
staff member has the responsibility of communication to higher levels
within the agency, regarding the following matters:
- Problems in operations,
with codes of conduct
- Violations of
- Illegal or unethical
Each staff member
has the responsibility to resist pressure to participate in improper activities.
The internal control system needs to include channels outside normal reporting
lines, permitting each staff member to report concerns without fear of
Within an agency,
internal auditors have a direct role in examining the adequacy and effectiveness
of internal controls. They also have a responsibility to recommend improvements.
Internal auditors have the difficult challenge of remaining objective;
they must maintain independence if they are to do their job effectively.
The Standards for
the Professional Practice of Internal Auditing established by the Institute
of Auditors describe that important role. Internal auditors must be concerned
with the following:
- The reliability
and integrity of financial and operating information and the means used
to identify, measure, classify and report such information,
- The system established
to ensure compliance with policies, plans, procedures, laws and regulations
with potential for significant impact operations and reports; determining
whether the organization is in compliance,
- The means of safeguarding
assets in verifying, as appropriate, the existence of such assets,
- The economy and
efficiency with which resources are employed, and
- The operations
and programs to ascertain whether results are consistent with established
objectives and goals, and whether the operations and programs are being
carried out as planned.
The dual nature
of an internal auditor's role and the scrupulous maintenance of his or
her independence requires that potential conflicts of interest be carefully
monitored. At the same time, internal auditors need to recognize their
limitations - they do not have primary responsibility for establishing
policy or maintaining internal control.
Oversight and governance
groups within the Executive Branch include the Office of Management &
Budget and the Division of Purchase & Property. These groups set standards
and specify procedures for the operation of State programs.
An agency's assessment
of internal controls can be performed using a variety of methodologies.
The preferred methodology for the State of New Jersey is explained in
the report entitled "Internal Control - Integrated Framework." This report
was issued by the Committee of Sponsoring Organizations (COSO) of the
Treadway Commission. One volume of this report contains evaluation tools
for each internal control component.
The Department of
the Treasury, Division of Administration, has developed an Internal Control
Assessment questionnaire that incorporates the COSO methodology. All executive
branch agencies must use this questionnaire in performing their annual
internal control assessment unless specifically exempted by OMB. In order
to obtain an exemption, the agency head must submit a memorandum to the
OMB Director requesting the exemption and explaining in detail how the
agency's methodology conforms to the COSO methodology.
Control Assessment questionnaire is available through the Department of
the Treasury website.
THE OFFICE OF MANAGEMENT & BUDGET
OMB is responsible
- Ensuring that
State agencies have established and maintained effective internal controls,
- Ensuring that
State agencies are continually evaluating their internal controls, and
- Performing post-audits
Therefore, the OMB
Accounting Operations Unit will periodically visit each State executive
agency to review the documentation supporting the assessment of internal
controls and to perform audits of transactions.
Charlene M. Holzbaur