Internal Control Environment

In its Internal Control Framework best practice, GFOA recommends that state, provincial, and local governments adopt the Committee of Sponsoring Organizations’ (COSO) Internal Control—Integrated Framework (2013) as their conceptual basis for designing, implementing, operating, and evaluating internal control, so as to provide reasonable assurance that they are achieving their operational, reporting, and compliance objectives. To support governments’ efforts in this area, GFOA is developing best practices that explain how to implement each of the five components of that framework. This best practice focuses on the first of those five components, the control environment, which the COSO has defined as a set of standards, processes, and structures that provide the basis for carrying out internal control.

The governing body, upper-level management, and all levels of staff throughout the organization should demonstrate a commitment to the framework

• Setting “the tone at the top” by prioritizing integrity and ethical values (governing body and management);
• Officially adopting the COSO framework (governing body);
• Adopting a policy to incorporate the implementation, maintenance, and updating of the framework into the government’s strategic goals (governing body), by establishing a structure of authority and responsibility;
• Developing standards of conduct for employees and providing training on those standards;
• Requiring management and employees to sign statements declaring that they will follow the standards of conduct (commitment statements) and annual signature of conflict of interest and commitment statements; and
• Including compliance with standards of conduct as part of employee evaluations to ensure accountability.

The governing body should exercise oversight responsibility for internal control

• Actively overseeing management’s implementation of the framework and of internal controls that function as part of the framework;
• Actively monitoring the performance of internal controls;
• Obtaining education about the nature and purpose of internal control sufficient to allow members of the governing body to meaningfully perform their oversight function, with the assistance of a financial expert;
• Establish an audit committee (or equivalent) made up of members of the governing body[3];
• Obtaining expert advice, independent of management, to help it perform its oversight function if no member of the audit committee possesses financial expertise;
• Documenting that controls have been reviewed and updated if necessary;
• Approving significant control-related policies; and
• Determining how often policies and procedures need to be reviewed (annually), reaffirmed, and updated (at least every two years, or when processes change).

Management should establish organizational structure and lines of authority to ensure staff accountability

• Creating a formal organizational chart for both the government as a whole and for each of its departments;
• Requiring written procedures for important government processes (for example, payroll);[4]
• Developing flowcharts of each significant process;
• Maintaining electronic copies of process flowcharts to facilitate updating;
• Identifying responsibilities for departmental and individual workflow approvals in their systems; and
• Ensuring that systems incorporate documented compensating controls, including manual controls, if necessary.

Governments should commit to attracting and retaining competent employees.

• Developing and maintaining up-to-date comprehensive job descriptions;
• Ensuring that hiring panels include experts in the desired skill sets;
• Prioritizing opportunities for employees to gain continuing professional education to stay current in their fields;
• Prioritizing membership in professional organizations to encourage the development of networks and obtain professional education;
• Supporting the development of succession planning;
• Cross-training staff;
• Thoroughly documenting the responsibilities of each position and appropriate processes, for succession planning;
• Providing managerial training, in addition to technical training, for staff members who will be promoted;
• Requiring that supervisors give staff members hands-on training on key responsibilities; and
• Developing an ongoing mentoring program to enhance employees’ skills.[5]

Governments should enforce accountability for all staff regarding their internal control responsibilities.

• Preparing comprehensive, consistent, and fact-based performance appraisals;
• Providing performance appraisals on a timely basis;
• Taking disciplinary action if conduct is not consistent with expected performance;
• Including internal control compliance as part of employee performance reviews;
• Establishing zero-tolerance policies (e.g., theft) and adhering to them; and
• Ensuring that union agreements and other employment contracts clearly delineate responsibilities up front.

This best practice was previously titled Framework for Internal Control: The Control Environment.