2014-15 Internal Control Questionnaire and Assessment

Bureau of Financial Monitoring and Accountability
Florida Department of Economic Opportunity

September 5, 2014

Table of Contents
Control Environment. 7
Risk Assessment. 9
Control Activities. 11
Information and Communication. 13
Monitoring Activities. 15
Attachment A.. 16.................................................. .................................................. ..................................


Introduction and Purpose
The Internal Control Questionnaire and Assessment (ICQ) has been developed by the Department of Economic Opportunity (DEO) as a self-assessment tool to help evaluate whether a system of sound internal control exists within the Regional Workforce Board (RWB). An effective system of internal control provides reasonable assurance that management’s goals are being properly pursued. Each RWB’s management team sets the tone and has ultimate responsibility for a strong system of internal controls.

The self-assessment ratings and responses should reflect the controls in place. When the questionnaire is completed it should be submitted to DEO by the Executive Director.

Definition and Objectives of Internal Controls

Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide "reasonable assurance" regarding the achievement of objectives in the following categories:

· Effectiveness and efficiency of operations
· Reliability of financial reporting
· Compliance with applicable laws and regulations

The concept of reasonable assurance implies that the internal control system for any entity, will offer a reasonable level of assurance that operating objectives can be achieved.

Need for Internal Controls

Internal controls help to ensure the direction, policies, procedures, and practices designed and approved by management and the governing board are put in place and are functioning as designed/desired. In addition, the A-102 Common Rule and OMB Circular A-110 (2 CFR Part 215) require that non-Federal entities receiving Federal awards establish and maintain effective control over and accountability for all funds, property, and other assets. Internal controls should be designed to achieve the objectives described above, adequately safeguard assets from loss or unauthorized use or disposition, and to provide assurance that these assets are used solely for authorized purposes in compliance with Federal laws, regulations, and program compliance requirements. It should be noted that internal controls under Uniform Administrative Requirements, Cost Principles, and audit requirement for federal awards, commonly referred to as the “Supercircular” also states under § 200.303 Internal controls:

The non-Federal entity must:

(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
(b) Comply with Federal statutes, regulations, and the terms and conditions of the Federal awards.
(c) Evaluate and monitor the non-Federal entity's compliance with statute, regulations and the terms and conditions of Federal awards.
(d) Take prompt action when instances of noncompliance are identified including noncompliance identified in audit findings.
(e) Take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal, state and local laws regarding privacy and obligations of confidentiality.

What Internal Controls Cannot Do

As important as an internal control system is to an organization, an effective system will not guarantee an organization’s success. Effective internal controls can keep the right people, such as management and the governing board members, informed about the organization’s operations and progress toward goals and objectives. However, these controls cannot protect against economic downturns or make an understaffed entity operate at full capacity. Internal controls can only provide reasonable, but not absolute, assurance that the entity’s objectives can be met. Due to limitations inherent to all internal controls systems, breakdowns in the internal control system may be caused by a simple error or mistake, or by faulty judgments made at any level of management. In addition, controls may be circumvented by collusion or by management override. The design of the internal controls system is dependent upon the resources available, which means there must be a cost-benefit analysis performed as part of designing the internal control system.

Five Components of Internal Control

· Control Environment – is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct.
· Risk Assessment – involves a dynamic and iterative process for identifying and analyzing risks to achieving the entity’s objectives, forming a basis for determining how risks should be managed. Management considers possible changes in the external environment and within its own business model that may impede its ability to achieve objectives.
· Control Activities – are the actions established by policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity and at various stages within business processes, and over the technology environment.
· Information and Communication – are necessary for the entity to carry out internal control responsibilities in support of achievement of its objectives. Communication occurs both internally and externally and provides the organization with the information needed to carry out day-to-day internal control activities. Communication enables personnel to understand internal control responsibilities and their importance to the achievement of objectives.
· Monitoring – are ongoing evaluations, separate evaluations, or some combination of the two used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, are present and functioning. Findings are evaluated and deficiencies are communicated in a timely manner, with serious matters reported to senior management and to the board.
Makeup of the ICQ

Subsequent sections of this document emphasize the “17 Principles” of internal control developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and presented in the Internal Control – Integrated Framework (2013). The five components of internal control listed above are basically identical to the five standards of internal control and reflect the same concepts that the “Standards for Internal Control in the Federal Government” utilizes.

The principles are reflected in groupings of questions related to major areas of control focus within the organization. Each question represents an element or characteristic of control that is or can be used to promote the assurance that operations are executed as management intended.

It should be noted that entities may have adequate internal controls even though some or all of the listed characteristics are not present. Entities could have other appropriate internal controls operating effectively that are not included here. The entity will need to exercise judgment in determining the most appropriate and cost effective internal control in a given environment or circumstance to provide reasonable assurance for compliance with Federal program requirements.

Completing the Document
On a scale of 1 to 5, with “1” indicating the greatest need for improvements in internal controls and “5” indicating that a strong system of internal controls already exists, select the number that best describes your current operating environment. Please provide details in the comments/explanations field for each statement with a score of 1 or 2.
Certification of Self-Assessment of Internal Controls
Attachment A, includes a certification which should be completed and signed by the Executive Director, and uploaded to SharePoint.

Control Environment
Self-Assessment of Policies, Procedures, and Processes
Weak Strong
1 2 3 4 5 Comments/Explanations
Principle 1. The organization demonstrates a commitment to integrity and ethical values.
1. RWB management and the board of director’s expectations translate into an organizational statement of beliefs, values, and standards of conduct that the staff exhibit daily.
2. RWB’s standards of conduct are communicated and reinforced to all levels of the RWB and to outsourced service providers.
3. Processes are in place to evaluate the performance of staff and outsourced service providers against expected standards of conduct.
Principle 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
4. The Board of Directors define, maintain, and periodically evaluate the skills and expertise needed among its members to enable them to question and scrutinize management’s activities and present alternate views.
5. How well does the committee that oversees internal control over financial reporting and the integrity and transparency of those reports complete these tasks?
6. The board establishes the expectations and evaluates the performance of the chief executive officer or equivalent role.
Principle 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
7. The organizational structure is appropriate for the size and complexity of the RWB.
8. Specific lines of authority and responsibility are established to ensure compliance with federal and state laws and regulations.
The RWB management/board understands the importance of internal controls, including the division of responsibility.
Principle 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
10. Regular employee evaluations are documented and shared with employees.
11. The RWB continuously provides mentoring and training opportunities needed to attract, develop, and retain sufficient and competent personnel.
12. The RWB checks credentials, references, and past work experience of potential new hires.
Principle 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
13. The RWB holds periodic training to ensure employees are aware of their duties pertaining to internal control (e.g. segregation of duties, safeguarding RWB assets). Training needs are continuously reevaluated.
14. Controls and documentation are in place to substantiate that employees have received periodic training and are aware of their duties pertaining to internal controls.
15. Disciplinary actions are documented and available for employee review. Where applicable, the RWB has a documented corrective action program/coaching plan for employees facing disciplinary actions.

Risk Assessment
Self-Assessment of Policies, Procedures, and Processes
Weak Strong
1 2 3 4 5 Comments/Explanations
Principle 6. The organization specifies with sufficient clarity to enable the identification and assessment of risks relating to objectives.
16. The RWB specifies objectives with sufficient clarity enabling the identification and assessment of risks that threaten the achievement of those objectives.
17. Management uses operational objectives as a basis for allocating the resources needed to attain desired operational and financial performance.
18. The RWB sets entity-wide financial reporting controls and assesses the risks that those controls will not prevent material misstatements, errors, or omissions in the financial statements. Risk acceptance or avoidance is limited to instances where identified risks would not individually or in aggregate result in material misstatements, errors, or omissions.
Principle 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
19. Management ensures that risk identification considers both internal and external factors and their impact on the achievement of objectives.
20. The RWB adequately and effectively manages risks to the organization and has designed internal controls that mitigate the identified risks.
21. The RWB develops performance indicators for key objectives and monitors the status of the indicators on a regular basis.
Principle 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
22. The RWB periodically performs an assessment of its exposure to fraudulent activity and how the operations could be impacted.
23. The RWB periodically performs an assessment of each of its operating locations potential exposure to fraudulent activity and how the operations could be impacted.
24. The RWB’s assessment of fraud risks considers opportunities for unauthorized acquisition, use and disposal of assets, altering the reporting records, or committing other inappropriate acts.
Principle 9. The organization identifies and assesses changes that could significantly impact the system of internal control.
25. The RWB has mechanisms in place to identify and react to risks presented by changes in government, regulatory, economic, operating, or other conditions that could affect the achievement of the goals and objectives.
26. The most significant risks affecting the RWB have been identified. Describe these significant risks in the comments/explanation section.
27. The most significant risks, identified above, have controls designed and implemented that mitigate risks associated with each.

Control Activities
Self-Assessment of Policies, Procedures, and Processes
Weak Strong
1 2 3 4 5 Comments/Explanations
Principle 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
28. Management determines which relevant business processes require control activities.
29. Management considers control activities at various levels in the RWB.
30. Management segregates incompatible duties, and where such segregation is not practical, management selects and develops alternative control activities.
Principle 11. The organization selects and develops general control activities over technology to support the achievement of objectives.
31. Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats.
32. Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives.
33. The RWB has a process that requires regular back-up of computer files and testing of the back-up files to ensure proper functionality.
Principle 12. The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action.
34. The RWB has policies and procedures addressing proper segregation of duties between the authorization, custody, and recordkeeping for the following tasks, if applicable: Prepaid Program Items (Participant Support Costs), Cash/Receivables, Equipment, Payables/Disbursements, Procurement/Contracting, and Payroll/Human Resources. For tasks lacking the appropriate segregation of duties describe any compensating controls in place in the comments/explanations section.
35. Management performs periodic review of policies and procedures to determine their continued relevance, and refreshes them when necessary.
36. The RWB maintains policies and procedures to facilitate the recording and accounting of transactions in compliance with laws, regulations, and provisions of contracts and grant agreements.

Information and Communication
Self-Assessment of Policies, Procedures, and Processes
Weak Strong
1 2 3 4 5 Comments/Explanations
Principle 13. The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.
37. Federal, state, or grant program rules or regulations are reviewed with one or more of the following: governing board, audit, finance or other committee.
38. The RWB maintains and follows procedures for record filing, retention, and disposal of accounting records and supporting documentation in accordance with applicable regulations.
39. The RWB’s accounting system provides for separate identification of federal grant transactions and non-federal transactions and allocations of transactions that benefit both.
Principle 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.
40. Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the RWB’s objectives.
41. The Code of Conduct, or other policies, expressly prohibit override of internal controls by management.
42. Management has a process for the development, approval and implementation of policy updates and communicates those updates to staff.
Principle 15. The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.
43. The RWB has a Whistleblower policy for people to report suspected improprieties regarding fraud; errors in financial reporting, procurement, and contracting; improper use or disposition of equipment; and misrepresentation or false statements.
44. The RWB has processes in place to communicate relevant and timely information to external parties.
45. The RWB has processes in place to communicate the results of reports provided by the following external parties: Independent Auditor, DEO Bureau of Financial Monitoring and Accountability (FMA), DEO Bureau of One-Stop and Program Support, DEO Office of Inspector General, Florida Auditor General, and Federal Awarding Agencies (USDOL, USDHHS, and USDA) to the Board of Directors.

Monitoring Activities
Self-Assessment of Policies, Procedures, and Processes
Weak Strong
1 2 3 4 5 Comments/Explanations
Principle 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
46. The RWB periodically evaluates business processes such as cash management, budget to actual results, repayment or reprogramming of interest earnings, draw down of funds, procurement, and contracting activities.
47. The RWB ensures compliance with period of availability requirements.
48. RWB management periodically visits Career Center locations and other decentralized locations (including subrecipients) to determine whether policies and procedures are being followed as intended.
Principle 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
49. The RWB periodically evaluates internal controls, tests for compliance with federal requirements, and communicates the results of those evaluations to the RWB’s Board of Directors.
50. The RWB monitors subrecipients to ensure that federal funds provided are expended only for allowable activities, goods, and services and communicates the monitoring results to the RWB’s Board of Directors.

Attachment A

Department of Economic Opportunity
Certification of Self-Assessment of Internal Controls

Regional Workforce Board:

To be completed by the Executive Director

A self-assessment of internal controls has been conducted for the fiscal period beginning July 1, 2014 (fiscal period 2014/15). As part of this self-assessment, the Internal Control Questionnaire developed by the Department of Economic Opportunity has been completed and is available for review.

Signature: ____________________________

Printed Name:



Please scan and upload to SharePoint an executed copy of this certification on or before October 3, 2014.