This document summarizes New York State's experience in mandating and implementing internal controls for state agencies. It outlines the chronology of New York passing legislation in 1987 requiring internal controls and audits. It also describes New York's internal control framework, which is based on COSO and includes statutory requirements, regulatory guidance, and standards issued by the Comptroller. The document provides an overview of New York's implementation of its internal control program over time.
1. How States are Mandating and
Implementing Internal Controls
Presented by:
Mark B. Mitchell, MBA, CIA, CGFM
Director of Internal Audit
New York State Energy Research
and Development Authority
June 27, 2007
Professional Development
Conference & Exposition
2007
AGA’s56th
Annual
2. AGA’s56thAnnualPDC
June 27, 2007 2
Today’s Objectives
Share New York’s Experience
Provide website resources
that you can turn to for
guidance when developing an
effective system of internal
control
3. AGA’s56thAnnualPDC
June 27, 2007 3
NYS Internal Control Program
New York’s Experience
with Mandating and
Implementing Internal
Controls
Background
Chronology
IC Framework
5. AGA’s56thAnnualPDC
June 27, 2007 5
Background
One of the largest
employers in the
nation:
191,000
employees
57 Executive
Branch agencies
130 independent
authorities and
quasi-public
corporations
FY 2008 Enacted
Budget is $121 Billion
New York State Government
7. AGA’s56thAnnualPDC
June 27, 2007 7
NYS Internal Control Act
Chronology
1983 – Mario Cuomo elected 52nd
Governor.
1985 – The Governor’s Office of
Management and Productivity
voluntarily adopts administrative
oversight similar to that of FMFIA.
8. AGA’s56thAnnualPDC
June 27, 2007 8
NYS Internal Control Act
Chronology (continued)
1987 – The NYS Governmental
Accountability, Audit and Internal
Control Act was passed, requiring:
•Implementation of comprehensive
internal controls.
•Audits of internal control systems.
1987 – Comptroller issues first set of
Standards for Internal Control in
NYS government
9. AGA’s56thAnnualPDC
June 27, 2007 9
NYS Internal Control Act
Chronology (continued)
1993 – The legislature extended
the Act until 1999.
1994 – George Pataki elected 53rd
Governor.
10. AGA’s56thAnnualPDC
June 27, 2007 10
NYS Internal Control Act
Chronology (continued)
1997 – The state Assembly
performs a study of state agencies’
internal controls.
1999 – The legislature makes the
Act permanent.
11. AGA’s56thAnnualPDC
June 27, 2007 11
NYS Internal Control Act
Chronology (continued)
2004 – The Office of the State
Comptroller issues it’s audit of Internal
Audit Units’ Compliance.
2004 – The Internal Control Task Force
is created to foster improvements.
2006 – The Internal Control Task Force
issues guidelines to achieve better
compliance.
12. AGA’s56thAnnualPDC
June 27, 2007 12
NYS Internal Control Act
Chronology (continued)
2006 – Eliot Spitzer elected 54th
Governor.
2007 – Budget Division revises
internal control certification. Office
of the State Comptroller plans to
audit for compliance.
14. AGA’s56thAnnualPDC
June 27, 2007 14
New York State’s Internal
Control Framework
New York State’s framework is in the
law, regulations, and standards:
Statutory Requirements
Regulatory Requirements
Standards for Internal Control in
New York State Government
16. AGA’s56thAnnualPDC
June 27, 2007 16
Statutory Requirements
NYS Internal Control Act
1. Establish and Maintain guidelines for
a system of internal controls.
2. Establish and Maintain an IC system
and internal control review process.
3. Make a clear and concise statement
of managerial policies and standards
available to all employees.
17. AGA’s56thAnnualPDC
June 27, 2007 17
Statutory Requirements
4. Designate an Internal Control
Officer.
5. Provide Internal Control
Education and Training.
6. Periodically Evaluate the Need for
an Internal Audit Function.
NYS Internal Control Act (continued)
19. AGA’s56thAnnualPDC
June 27, 2007 19
Regulatory Guidance
Budget Policy and Reporting
Item B-350
• 104 Covered Agencies and
Authorities Report Annually.
They Must Provide:
Compliance Certification
Summary Internal Control Report
Division of the Budget
20. AGA’s56thAnnualPDC
June 27, 2007 20
Regulatory Guidance (con’t)
Describe the Review Process
List High Risk Areas Reviewed
Identify Problems & Corrective Actions
Describe Monitoring & Testing Process
Summarize Education & Training
Report on Internal Audit Compliance
Annual Summary Reports
22. AGA’s56thAnnualPDC
June 27, 2007 22
Standards for Internal
Control in New York
State Government
Based upon the COSO internal
control guidance
Office of the State Comptroller
24. AGA’s56thAnnualPDC
June 27, 2007 24
Definitions of Internal Control
COSO Definition
“Internal control is broadly defined as a
process, effected by an entity’s board of
directors, management and other
personnel, designed to provide reasonable
assurance regarding the achievement of
objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and
regulations
25. AGA’s56thAnnualPDC
June 27, 2007 25
Definitions of Internal Control
New York State Definition1
“A process that integrates the activities,
plans, attitudes, policies, systems,
resources and efforts of the people of an
organization working together, and that is
designed to provide reasonable
assurance that the organization will
achieve its objectives and mission.”
1Source: New York Consolidated Laws, Executive,
Chapter 18, Article 45, § 950 – 954.
26. AGA’s56thAnnualPDC
June 27, 2007 26
Four Purposes of Internal
Control2
1. “To promote orderly, economical,
efficient and effective operations and
to produce quality products and
services consistent with the
organization’s mission;
2. To safeguard resources against loss
due to waste, abuse, mismanagement,
errors and fraud;
2Source: Standards for Internal Control in
New York State Government
27. AGA’s56thAnnualPDC
June 27, 2007 27
Four Purposes of Internal
Control3
3. To ensure adherence to laws,
regulations, contracts and
management directives; and
4. To develop and maintain reliable
financial and management data, and
to accurately present that data in
timely reports.”
3Source: Standards for Internal Control in
New York State Government
29. AGA’s56thAnnualPDC
June 27, 2007 29
Other Guidance
DOB’s BRRM B-350
DOB’s Annual Budget Bulletin
DOB Initial Training/Guidance
Four-step process for IC Review
Manager’s Testing Guide
On demand training and technical
assistance (DOB & OSC)
30. AGA’s56thAnnualPDC
June 27, 2007 30
Other Guidance
Annual Accountability & IC
Conferences
New York State Internal Control
Association (NYSICA)
Internal Control Task Force (ICTF)
Report (e.g., Implementation Guide)
31. AGA’s56thAnnualPDC
June 27, 2007 31
ICTF Guidance
I. Establish an Internal Control
Framework
II. Determine Evaluation Criteria
III. Develop an Implementation
Methodology
IV. Regularly Update the Internal
Control System
V. Establish a Documentation Process
VI. Evaluate the Quality of the Process
33. AGA’s56thAnnualPDC
June 27, 2007 33
Contact Information:
Mark B. Mitchell, MBA, CIA, CGFM
NYSERDA
Director of Internal Audit
17 Columbia Circle
Albany, New York 12203
(518) 862-1090
mbm@nyserda.org