Internal Controls for Financial Operations, Reporting and Compliance
Document Code No.: FIN 15-5-EP
Department/Issuing Agency: DES / FBOD / Financial Management
Effective Date: November 14, 2018
Expiration Date: November 14, 2023
Approved: /s/ Dow Constantine
Type of Action: New
Signed document (PDF, 469.30KB)
One of the foundational requirements for being the “best run government” is having strong internal controls across our enterprise. When internal controls are weak or viewed as a lower priority, it puts the County’s reputation and credibility at risk with our citizens, businesses, community-based organizations, and other stakeholders. This policy is intended to support agencies in assessing their risks and continuously strengthening their internal controls. It provides specific guidance to County agencies on how to assess, establish, maintain and implement the necessary internal controls that will help promote efficiency and effectiveness in financial operations, assure reliability in financial reporting and to ensure compliance with financial assistance laws and regulations.
II. Applicability and Audience
This policy applies to the Administrative Offices and Executive Departments supervised by the King County Executive. The audience may include any non-Executive Branch King County departments adopting this policy.
“Annual Risk Assessment” – This questionnaire tool is designed for finance managers and other staff responsible for day-to-day financial functions. The tool is used to assess the adequacy of internal controls involving the following functions within divisions and their sub-units: general administration, cash receipts, cash disbursements, and accounts payable, financial records, grant compliance, non-tax receivables and purchasing.
“COSO: Committee of Sponsoring Organizations of the Treadway Commission” – the joint initiative established by five private sector organizations, dedicated to guide executive management and governance entities on relevant aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting.
“COSO Effectiveness Index” – The COSO Effectiveness Index is designed for use by leadership teams in departments, agencies and divisions. The index includes a series of questions that assess the effectiveness of internal control components and principles across a department. The index results should be used by department/division or agency leadership to carryout broad oversight and guidance for internal controls across their respective organizations.
“Internal control”- process, effected by an entity’s governing body, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
“Internal Control - Integrated Framework” – The three-volume manual published by COSO that describes the internal control model and provides the tools and guidance for implementation. The volumes are:
• “Framework and Appendices by COSO (2013)” (hereafter referred to as “the Framework”)
• “Illustrative Tools for Assessing Effectiveness of a System of Internal Control by COSO (2013)” (hereafter referred to as “the Illustrative Tools”).
• “Internal Control Over Financial Reporting: A Compendium of Approaches and Examples by COSO (2013)” (hereafter referred to as “the Compendium”).
“Internal Control Components and Principles” - An effective system of internal controls provides reasonable assurance of the achievement of an entity’s objectives. It can relate to the whole organization or a specific part of an organization - its subunits. An effective system of internal control reduces, to an acceptable level, the risk of not achieving the objectives of an organization. It requires that a) each of the five components and relevant principles are present and functioning; and b) the five components are operating together in an integrated manner. The components and principles of the COSO framework of internal control are at the bottom of this section. Points of focus for each principle can be found in the COSO “Framework” to aid in determining whether a principle is present and operating.
“Internal Control Deficiency” – A shortcoming in a component or components and relevant principle(s) that reduces the likelihood that the entity can achieve its objectives. A major deficiency is an internal control deficiency or combination of deficiencies that severely reduces the likelihood that the entity can achieve its objectives.
“Objectives”- what the County is trying to achieve classified into the following (objectives in this policy are limited to those related to finance, a subset of COSO’s broader set of objectives): a) “Operations” – efficiency and effectiveness of financial operations and safeguarding assets against loss, b) “Reporting” – pertains to accuracy and precision for both internal and external financial reporting, and may encompass reliability, timeliness, transparency or other criteria set forth by regulators, standard setters, or County policies; c) “Compliance” – adherence to all applicable financial laws and regulations, such as federal assistance regulations.
“Points of focus” – Important characteristics of principles that may assist management in designing, implementing, and conducting internal control and in assessing whether the relevant principles are in fact present and functioning.
“Subunits” – The County’s departments, divisions, sections, agencies, operating units, functions and value streams. This includes non-Executive agencies who will opt to adopt this policy.
Components and Principles of Internal Control
A. CONTROL ENVIRONMENT - The set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.
Principle 1. The organization demonstrates a commitment to integrity and ethical values.
Principle 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
Principle 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
Principle 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
Principle 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
B. RISK ASSESSMENT – A dynamic and iterative process for identifying and analyzing risks to achieving the County’s and/or departmental objectives, forming a basis for how risks should be managed.
Principle 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
Principle 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
Principle 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
Principle 9. The organization identifies and assesses changes that could significantly impact the system of internal control.
C. CONTROL ACTIVITIES – The actions established by policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out.
Principle 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Principle 11. The organization selects and develops general control activities over technology to support the achievement of objectives.
Principle 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
D. INFORMATION AND COMMUNICATION – Information are facts and data synthesized into knowledge which are vital for the county to carry out internal control responsibilities in support of achievement of its objectives.
Principle 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
Principle 14. The organization internally communicates information including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
Principle 15. The organization communicates with external parties regarding matters affecting the functioning of internal control.
E. MONITORING – Ongoing and/or ad hoc evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control is present and functioning.
Principle 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
Principle 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the governing board, as appropriate.
The County will adopt a comprehensive system of internal controls that is based on the COSO Framework that covers all levels of its organization (its subunits) and comprising policies, procedures and methods that would safeguard its assets, assure reliability of financial data, and comply with legal and contractual requirements.
A. All departments and agencies shall perform the Annual Risk Assessment on all of their subunits to identify significant risks to the achievement of their objectives. Appendix B provides the location of the Annual Risk Assessment questionnaire tool to be used for this purpose.
1) Using this tool each subunit shall document all their existing controls and map them to the identified risks in the assessment to determine the extent that those risks are being mitigated or managed. The risk assessment results shall be used to continually improve the existing internal control system of each subunit. A copy of the completed Annual Risk Assessment document is to be forwarded to the Chief Accountant.
B. All departments and agencies shall perform an annual self-evaluation of the effectiveness of the existing internal control structure in their respective departments, with results broken down by divisions within the department. Appendix B provides the location of the COSO Effectiveness Index questionnaire tool to be used for this purpose. Each year directors shall provide a copy of the completed self-evaluation document to the Chief Accountant.
1) All subunits shall report all major deficiencies, uncovered in the COSO Effectiveness Index evaluation, to the Executive Audit Committee (EAC). “Major deficiency” is defined in Section II, Definitions, (Internal Control Deficiency), although this definition may be subordinated to other deficiency categorizations established by external authorities, such as, regulators, standard-setting bodies, or auditors.
C. All major deficiencies in internal control effectiveness must be corrected by management within one year from discovery. All other deficiencies must be addressed by management before the next Annual Risk Assessment cycle.
D. Individual subunit management shall continuously monitor changes in both risks and internal control effectiveness within their units, updating metrics after each Annual Risk Assessment and COSO Effectiveness Index cycle. The continued functioning of vital control processes that are working, and corrective actions being undertaken to resolve major deficiencies, shall be visually managed through the subunit’s tier board and shared with key stakeholders, auditors and other personnel during regular or ad hoc roundings.
E. Each subunit is expected to drive continuous improvement to their system of internal control. Subunits’ management shall be guided by the Lean tools and techniques that are recommended by the County’s Continuous Improvement Team, the Government Finance Officers Association’s (GFOA) Process Improvement Services, and/or the State of Washington’s Local Government Performance Center.
F. Financial Statements for external purposes shall be prepared in accordance with applicable accounting standards, rules, and regulations. These financial statements for King County include:
1) Comprehensive Annual Financial Reports
2) Basic Financial Statements in bond official statements,
3) Standalone enterprise statements,
4) State-mandated financial statements (BARS reports),
5) Popular Annual Financial Reports,
6) Condensed financial statements used in other published reports.
State BARS (Budgeting, Accounting and Reporting System) reports shall be prepared in accordance with the State BARS manual. Other external financial reports that are based on the County’s financial and accounting system also include any financial information posted to the County’s official website (kingcounty.gov) or reported in regulatory filings.
G. Finance and Business Operations Division (FBOD)
FBOD shall oversee implementation of the policies and provide the following support to departments and agencies to help with the implementation of this policy:
1) Provide a roster of independent contractors for internal audit purposes.
2) Provide training to other agencies on risk assessments and internal control evaluations.
3) Provide guidance in establishing internal control procedures or controls..
4) Include discussions of internal controls in regular meetings with
departments and agencies.
5) Monitor internal controls that impact countywide annual financial reporting
and federal assistance compliance objectives.
6) Modify or update the Annual Risk Assessment questionnaire tool and the
COSO Effectiveness Index questionnaire tool.
H. Department/Division Directors and Agency Directors
1) Ensure that internal control standard work procedures are in place and are being adhered to by employees.
2) Perform an annual risk assessment using the Annual Risk Assessment questionnaire tool.
3) Perform an annual evaluation of internal controls using the COSO Effectiveness Evaluation questionnaire tool.
4) Use risk assessments and effectiveness evaluations to develop corrective action plans, as needed.
5) Address and monitor deficiencies in internal controls.
6) Report fraud, potential fraud and breaches of internal controls to the Chief Accountant.
7) Communicate progress of corrective actions for internal control deficiencies to the Executive Audit Committee.
I. Executive Audit Committee
1) Provide oversight and direction for the internal control environment across County government.
2) Monitor the internal control environment and address major control weaknesses and deficiencies.
3) Recommend to the Executive any changes in this policy in order to strengthen the County’s internal control environment.
V. Implementation Plan
A. This policy becomes effective for Executive Branch agencies on the date that it is signed by the Executive. Non-Executive Branch agencies may opt to implement this policy at the same time. The Finance and Business Operations Division is responsible for the implementation of this policy.
B. The director of the Finance and Business Operations Division or designee will provide initial and periodic briefings about this policy to the Operations Cabinet and Finance Managers from across the government.
C. Departments and agencies are expected to have their initial Annual Risk Assessment questionnaire tool completed by the end of April 2019 and by the end of the first quarter every year thereafter, unless a schedule change or exception is granted by the director of the Finance and Business Operations Division.
D. Departments and agencies are expected to have their initial COSO Effectiveness Evaluation questionnaire tool completed by the end of April 2019 and by the end of their first quarter every year thereafter, unless a schedule change or exception is granted by the director of the Finance and Business Operations Division.
E. Operations Cabinet members, in conjunction with department and agency finance managers, are responsible for communicating this policy to the management structure within their respective agencies and other appropriate parties.
F. Each department and agency director is required to develop and implement procedures to ensure that the directives in this policy are followed by the employees under their oversight.
This policy will be maintained by FBOD, or its successor agency. The Annual Risk Assessment and COSO Effectiveness Index templates referred to in the Appendix may be modified by FBOD independent of the main policy.
VII. Consequences of Noncompliance
Noncompliance can potentially result in audit findings or adverse audit opinions to the detriment of the County’s bond rating and reputation.
A. Both the Annual Risk Assessment and the COSO Effectiveness Index templates can be found at the Finance Managers Forum SharePoint siteInternal Control Assessment Templates folder.
B. Flowchart: Risk Assessment and COSO Effectiveness Index Annual Cycle