The State of South Dakota’s Statewide Internal Control Framework was a 2020 GFOA Awards for Excellence Winner in the Exceptionally Well Implemented GFOA Best Practice category. GFOA’s Awards for Excellence in Government Finance recognize innovative programs and contributions to the practice of government finance that exemplify outstanding financial management. The awards stress practical, documented work that offers leadership to the profession and promotes improved public finance.
South Dakota Creates an Internal Control Framework
The State of South Dakota’s Statewide Internal Control Framework allows the state and its agencies to implement an adaptive, effective internal control system. The framework’s standards provide guidance for establishing, maintaining, assessing, and reporting effective internal controls across the state government. The purpose of this project is to provide a greater level of assurance to state leadership that the state is accomplishing its operational, reporting, and compliance outcomes.
The idea for the framework came about because of an instance of fraud committed by vendors that received funding from the state. As Mark Quasney, former statewide internal control officer and current state economist, explained that the investigations into the incident made state officials realize agencies weren’t following guidance consistently, and a standardized form of internal control across state government was needed to avoid running from issue to issue. Instead, the framework would give agencies the tools they needed to be able to identify issues before problems occurred and to put measures in place to mitigate those risks.”
The State of South Dakota was looking for a way to implement a system of internal control that went beyond what was already in place, Quasney explained. The state wanted to ensure that it was being proactive, not just reacting to instances of fraud as they occurred but actually preventing fraud from occurring.
Creating the Framework
The state worked with consultants to create the initial draft of the Statewide Internal Control Framework. To begin this process, a joint team worked with leaders and professionals across the state’s agencies. A multi-agency Internal Control Framework Steering Committee was created to gain more insight into the operation of each part of the state. The Statewide Internal Control Officer Framework then formally developed the framework in 2018, in collaboration with the Framework Steering Committee, and the framework was implemented over a 10- to 16-week period that included different levels of training. Agencies conduct their own risk identification, risk prioritization, control identification and documentation. Also, a State Board of Internal Control was created to build in accountability; agencies are required to report to the board twice a year about their internal controls.
The framework is closely aligned with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) principles. COSO language is usually used by the private sector, but South Dakota adapted it for state government. As Quasney explained, “We understood that the public and private sectors don’t align perfectly and that there are some nuances in how governance occurs between government and private sector. We knew we couldn’t just take COSO and say, ‘OK, now the state is using COSO.’” South Dakota worked with its consultants to create something that was COSO-based but catered to a governmental setting.
Taking inspiration from COSO, the framework is made up of 8 elements: Program Management; Roles and Responsibilities; Tools and Technology Enablement; Continuous Improvement; Information, Communication, and Reporting; Monitoring and Testing; Control Identification; and Strategy and Governance. The elements are laid out in a wheel structure to build in continuous improvement as part of the process. The idea is that once an agency goes through the framework and all 8 elements, the agency “starts back over, constantly getting better, constantly improving the framework, constantly improving the state of internal control in state government,” Quasney said.
Getting Continuous Improvement Underway
The framework was designed to help agencies get that system of continuous improvement underway, after which each agency would be the owner of their own framework. Allysen Kerr, the current statewide internal control officer, explained that the guidance has to be put into operation at the agency level, not centrally by the state government. Quasney agreed, noting that the key is for agencies to own their respective frameworks. The framework is meant to be a tool to help agency leadership manage their agencies and to cover all categories of risk, not just to focus narrowly on something such as fraud, he explained.
As of May 2019, the Statewide Internal Control Framework had been implemented in two agencies, the Bureau of Finance and Management, and the Department of Revenue. The two agencies identified a total of 165 controls and 514 risks, and 100 percent of self-assessments were completed on time. Kerr and the state are now focused on contracting with a technology company to bring everything online and working with more agencies. They are working with one agency per quarter, implementing and set up the framework. “We sit down with one agency at a time and help identify risks, and see if they have any controls implemented for those risks,” Kerr said.
Challenges and Lessons Learned
Quasney and Kerr point out a number of challenges encountered in creating and implementing the framework. The main challenge, as mentioned above, was adapting the COSO framework to a public setting like the State of South Dakota. Quasney noted that the initial challenge was that other states haven’t addressed control by adapting something normally used in the private sector for government. “Balancing a very strong system of internal control and also understanding that agencies have their independence was a critical part of this challenge,” he explained. The state created the steering committee, held question and answer sessions, developed the framework, bounced ideas off the steering committee to find what would work and what would need some revision.
Other challenges included creating buy-in for the framework among state agencies and finding software partners that understood what the government would need.
GFOA Best Practices
The state followed GFOA’s Internal Control Framework best practice in creating its Statewide Internal Control Framework.