Internal controls presentation by Albany Law School

1. Internal Controls for Recipients
of ARPA/SLFRF Funds
Albany Law School Community Economic Development Clinic
Matt DeLaus

2. Internal Controls – Overview
• Internal control is a process effected by an entity’s oversight body,
management, and other personnel that provides reasonable
assurance that the objectives of an entity will be achieved
• “Standards for Internal Control in the Federal Government” issued by
the Comptroller General of the United States
• Made up of five components, which are each made up of several principles
• Informs the high-level, as well as day-to-day, operations of the
Organization

3. Internal Controls – Overview (2)

4. Component 1: Control Environment
• The “foundation” for an internal control system
• Setting the tone at the top
• Strong control environment is characterized by:
• High ethical standards;
• Management’s commitment to competence;
• Clear assignment of authority and responsibility;
• Effective communication channels; and
• Accountability for performance

5. Principle 1 – Demonstrate Commitment to
Integrity and Ethical Values
• “The oversight body and management should demonstrate a
commitment to integrity and ethical values”
• The commitment comes from the top, and compliance comes from all
parties
• Illustrative Controls:
• A code of conduct is developed, documented, communicated and periodically
updated
• A code of conduct explicitly prohibits inappropriate management override of
established controls
• Conflict of interest statements are obtained periodically from those charged
with governance (TCWG) and key management

6. Principle 2 – Exercise Oversight Responsibility
• “The oversight body should oversee the entity’s internal control system”
• Illustrative Controls:
• Process in place to provide effective oversight pertaining to federal award compliance
issues and related risk
• TCWG periodically review ethical and moral conduct violations including stakeholder
complaints regarding issues of federal award compliance with senior management
• A whistle blower submission process exists to receive and evaluate concerns by employees
regarding questionable practices inclusive of issues impacting federal award
compliance/non-compliance
• An audit committee is enabled by the organization’s bylaws
• TCWG have effective two-way communication with external and internal auditors
• TCWG review risk assessments including the risks of fraud for impact on federal compliance
objectives

7. Principle 3 – Establish Structure,
Responsibility, and Authority
• “Management should establish an organizational structure, assign
responsibility, and delegate authority to achieve the entity’s
objectives”
• Illustrative Controls:
• Policies, procedures and organizational charts provide for segregation of
duties within and among processes and controls
• Policies and procedures are in place to ensure that compliance responsibilities
are assigned to particular positions

8. Principle 4 – Demonstrate Commitment to
Compliance
• “Management should demonstrate a commitment to recruit, develop,
and retain competent individuals”
• Illustrative Controls
• Job descriptions include appropriate knowledge and skill requirements
• Appropriate training is provided that is relevant to responsibilities over
compliance objectives
• Personnel with federal award compliance responsibilities are properly trained
on their responsibilities

9. Principle 5 – Enforce Accountability
• “Management should evaluate performance and hold individuals
accountable for their internal control responsibilities”
• Illustrative Controls:
• Appropriate performance evaluations are provided that establish goals,
accountability, and feedback
• Violations of the Non-Profit policies result in remedial actions to deter others
• Consequences for noncompliance with the Non-Profit policies are
communicated and enforced
• Penalties for inappropriate and/or discriminatory behavior, as well as
harassment, are adequate and publicized

10. Component 2: Risk Assessment
• Assessing potential risks from internal and external sources in order
to develop appropriate risk responses
• Systematic and ongoing process to identify, analyze, and manage risks
that could prevent Organization from achieving its objectives
• Proactive risk management

11. Principle 6 – Define Objectives and Risk
Tolerances
• “Management should define objectives clearly to enable the
identification of risks and define risk tolerances”
• Illustrative Controls:
• Management identifies key compliance objectives for types of compliance
requirements
• Management identifies and evaluates risk tolerances related for controls over
compliance

12. Principle 7 – Identify, Analyze, and Respond to
Risks
• “Management should identify, analyze, and respond to risks related to
achieving the defined objectives”
• Management analyzes and identifies compliance risks
• TCWG have oversight over significant areas of risks
• Employees receive appropriate training to address identified risks
• Risk mitigation strategies are implemented by management

13. Principle 8 – Assess Fraud Risk
• “Management should consider the potential for fraud when
identifying, analyzing, and responding to risks”
• Illustrative Controls:
• Management reviews audit findings to identify fraud risks
• If an internal audit function exists, it reviews fraud risks and the internal
control structure Compliance Supplement 2020 6-8
• Management reviews the internal control structure for potential fraud risks
• TCWG periodically review a report of the potential fraud risks identified and
actions taken in response to those risks during the period

14. Principle 9 – Identify, Analyze, and Respond to
Change
• “Management should identify, analyze, and respond to significant changes
that could impact the internal control system”
• Illustrative Controls:
• Management identifies changes such as new personnel, new technology, expanded
operations, rapid growth, or changes in the operating environment and adjusts risk
assessments to address those changes
• Management analyzes compliance requirement modifications to properly adjust
risk
• A communication process with regulators is in place to identify changes in
compliance requirements
• Changes in philosophies or employee turnover are evaluated by management for
any potential impact on related controls

15. Component 3: Control Activities
• Actions which management establishes through policies and
procedures to achieve objectives and respond to risks in the internal
control system
• Procedures that are part of other processes (e.g., procurement) that
are put in place to ensure risks are being managed and goals are
being achieved

16. Principle 10 – Design Control Activities
• “Design Control Activities – management should design control activities to achieve
objectives and respond to risks”
• Illustrative Controls:
• Top-level reviews of actual performance
• Reviews by management at the functional or activity level
• Management of human capital
• Controls over information processing
• Physical control over vulnerable assets
• Establishment and review of performance measures and indicators
• Segregation of duties
• Proper execution of transactions
• Accurate and timely recording of transactions
• Access restrictions to and accountability for resources and records
• Appropriate documentation of transactions and internal control

17. Principle 11 – Design Activities for the
Information System
• “Design Activities for the Information System – management should
design the entity’s information system and related control activities
over technology to achieve objectives and respond to risks”
• Illustrative Controls:
• Management designs the entity’s information system to respond to the
entity’s objectives and risks
• Management designs the entity’s information system to gather relevant data
that is complete, accurate, and valid
• Management continues to evaluate changes in the use of information
technology and designs new control activities when these changes are
incorporated into the entity’s information technology infrastructure

18. Principle 12 – Implement Control Activities
• “Implement Control Activities – management should implement
control activities through policies”
• Illustrative Controls:
• Management communicates to personnel the policies and procedures so that
personnel can implement the control activities for their assigned
responsibilities
• Management periodically reviews policies, procedures, and related control
activities for continued relevance and effectiveness in achieving the entity’s
objectives or addressing related risks

19. Component 4: Information & Communication
• Quality information is available for management and employees, who
use it in their decisionmaking
• Information is automatically captured and either communicated or
made available effectively and efficiently

20. Principle 13 – Use Quality Information
• “Management should use quality information to achieve the entity’s
objectives”
• Illustrative Controls:
• Financial and programmatic systems capture, accurately process, and timely
report pertinent information
• The accounting system provides for separate identification of federal and non-
federal transactions
• Adequate source documentation exists to support amounts and items reported
• Reports are provided timely to managers for review and appropriate action
• Management verifies the sources and reliability of information used in making
management decisions and executes monitoring controls

21. Principle 14- Communicate Internally
• “Management should internally communicate the necessary quality
information to achieve the entity’s objectives”
• Illustrative Controls:
• Relevant internal and external information is communicated and delivered to
employees responsible for federal award compliance on a timely basis
• Effective channels for communication throughout the organization exist

22. Principle 15 – Communicate Externally
• “Management should externally communicate the necessary quality
information to achieve the entity’s objectives”
• Illustrative Controls:
• Relevant information is communicated to external parties including
subrecipients, vendors, federal granting agencies, and third-party processors
on a timely basis
• Effective channels exist for communications with federal granting agencies,
oversight agencies and cognizant agencies

23. Component 5: Monitoring
• Activities management establishes and operates to assess the quality
of performance over time and promptly resolves the findings of audits
and other reviews.
• Monitoring activities should be ongoing and designed to identify and
address changes
• Should reflect changes in laws, regulations, policies, procedures, and
the Organization’s structure and operations
• Crucial to ensuring internal controls system remain effective over time

24. Principle 16 – Perform Monitoring Activities
• “Management should establish and operate monitoring activities to
monitor the internal control system and evaluate the results”
• Illustrative Controls:
• Management monitors the effective operation of critical control activities
• Management monitors the use of effective self-review procedures in critical
compliance areas
• Management monitors the effective review of timely and reliable metrics or
key performance indicators, including reconciliation with data from financial
or other reporting systems to ensure its accuracy and completeness

25. Principle 17 – Evaluate Issues and Remediate
Deficiencies
• “Management should remediate identified internal control deficiencies
on a timely basis”
• Illustrative Controls:
• Findings, recommendations and other observations by independent auditors,
internal auditors, and federal auditors are distributed and reviewed by those
individuals responsible for compliance with federal requirements.
• Control deficiencies and instances of noncompliance are reported to and
evaluated by management and TCWG, if applicable, for resolution on a timely
basis
• Management periodically monitors the corrective action plans related to known
noncompliance and control deficiencies and the organization’s progress to
remediating the findings

26. Conclusion