OFFICE OF THE NEW YORK STATE COMPTROLLER

DIVISION OF
LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

LOCA L GOV ER NMENT M A NAGEMENT GUIDE

INTERNAL CONTROLS
 Table of Contents
Introduction....................................................................................................................... 1

Overview........................................................................................................................... 1

Part I Assessing Internal Controls................................................................................1

Local Government Operations................................................................................1

Internal Controls..................................................................................................... 2
Control Environment................................................................................................. 3
Risk Assessment.................................................................................................... 5
Control Activities..................................................................................................... 8
Information and Communication...........................................................................10
Monitoring............................................................................................................. 11
Soft Controls.........................................................................................................12
Conclusion............................................................................................................13

Part II Additional Resources........................................................................................13

Web Sites..............................................................................................................13

Questionnaires........................................................................................................
14

Accounting Records
Segregation of Duties.................................................................................14
Timeliness and Usefulness........................................................................ 15

Cash Receipts
Segregation of Duties................................................................................ 16
Accountability............................................................................................. 17
Verifiability...................................................................................................18

Cash Disbursements
Segregation of Duties.................................................................................19

Cash Management............................................................................................... 20

Purchasing
Policies and Procedures............................................................................ 21
Segregation of Duties................................................................................ 22
Verifiability.................................................................................................. 23

Personnel
Segregation of Duties................................................................................ 24
Verifiability.................................................................................................. 25
 Table of Contents
Part II Continued:

Standards of Internal Control (Matrix).................................................................. 26

Dimension Issues...................................................................................... 27

Control Environment............................................................................................ 27
Safeguard Assets...................................................................................... 27
Compliance............................................................................................... 28
Information................................................................................................ 28

Communication
Operations.................................................................................................29
Safeguard Assets...................................................................................... 29
Compliance............................................................................................... 30
Information................................................................................................ 30

Assessing and Managing Risk

Operations.................................................................................................30
Safeguard Assets...................................................................................... 31
Compliance............................................................................................... 31
Information................................................................................................ 31

Control Activities
Operations.................................................................................................32
Safeguard Assets...................................................................................... 32
Compliance............................................................................................... 33
Information................................................................................................ 33

Monitoring
Operations.................................................................................................34
Safeguard Assets...................................................................................... 34
Compliance............................................................................................... 35
Information................................................................................................ 35

Regional Office Listing.....................................................................................................36

Central Office Listing.......................................................................................................37

INTERNAL CONTROLS

Introduction

Internal controls are essential to the effective operation of local governments. Simply
put, internal controls are those activities in place to provide reasonable assurance that
things are “going according to plan.” Without adequate safeguards, managers have
little assurance that their fiscal goals and responsibilities are being met. At the same
time, adequate controls can reduce the likelihood that errors and/or irregularities could
occur and go undetected. The right internal controls can help ensure that “good” things
happen and that “bad” things don’t.

Overview

The following sections are designed to help local managers assess the internal controls
of their local governments:

• Local Government Operations

• Internal Controls
• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring
• Soft Controls
• Conclusion
• Additional Resources

I. Assessing Internal Controls

Local Government Operations

Local officials are faced with the daunting task of providing the services needed and
demanded by citizens with limited resources that are available to pay for these services.
Local governments provide services to their citizens, but in many ways they do not
operate in the same manner as private businesses. A private business providing
services to its customers bills and generally receives payment for these services upon
delivery, or soon after delivery. There is an agreement between the customer and the
business as to the value of that service, and the customer is generally able to choose

Internal Controls - 1
from a variety of service providers. This is not the case with local governments. The
taxpayer cannot choose from a variety of service providers when it comes to local
government services, and in many instances there is no direct link between the dollar
value of the service provided and the payment for the service. Taxes are paid, generally
at the beginning of the fiscal year, while services are delivered throughout the year.

The taxpayer, of course, is very aware of the amount paid in taxes. However, many
taxpayers do not associate the amount of taxes paid with all the services the local
government provides, but rather only the few services that directly benefit or are utilized
by that taxpayer. Such a situation can lead to the impression that the government is
inefficient and taxes are too high. There is a tendency in government to resist increases
in taxes, or reductions in services. Thus, it is imperative that local officials manage and
protect the resources at their disposal in the most effective way possible. Developing
and utilizing effective internal controls can help ensure that this is done properly.

Internal Controls

Government officials entrusted with public resources are responsible for complying with
laws and regulations, meeting goals and objectives, safeguarding assets, and issuing
reports that inform the public of the results of government activities. A good internal
control system is intended to assist local officials in meeting these responsibilities.

Internal controls have always been an important element of any organization’s financial
and operating structure. In the 1990s, concerns about fraudulent financial reporting
resulted in a group being formed and a study on internal controls being produced. This
group - the Committee of Sponsoring Organizations (COSO) - developed a report that
defines internal control and identifies five key elements of internal control.

The COSO report defined internal control as “a process, effected by an entity’s board of
directors, management and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives in effectiveness and efficiency of operations,
reliability of financial reporting, and compliance with applicable laws and regulations.”
The five elements of internal control identified by the COSO report are: Control
Environment, Risk Assessment, Control Activities, Information and Communication,
and Monitoring. We will discuss each of these elements and how they can be used in
improving an internal control system.

2 - Chapter 14: Local Government Management Guide

Essential to internal control is the setting of goals and objectives. At the local
government level, goals and objectives should be incorporated into a strategic plan that
includes a mission statement and broadly defined initiatives. (See also our chapter on
strategic planning.) Each department should identify goals and objectives that support
the local government’s strategic plan. Goals and objectives for the three areas included
in the definition of internal control might include:

• Operating Objectives - Achieving the basic mission of the local government

or the department. Setting performance standards to measure the economy
and efficiency of department operations, effectiveness of its operations, and
safeguarding assigned resources against loss.

• Financial Reporting Objectives - Preparation of reliable financial reports,

including the prevention of fraudulent public financial reporting. While
financial reporting may primarily fall under the department responsible for the
government’s overall accounting function, individual departments may have to
provide essential information in producing reliable accounting records from which
the resultant financial reports are prepared. As examples, separate departments
may be required to code purchases to the proper categories, document receipt
and acceptance of goods so that payables can be properly reported, produce
customer billings of various revenues, process collection of incoming cash
receipts, and/or perform other applicable functions.

• Compliance Objectives - Identification of laws and regulations applicable to the

local government and departmental operations.

Control Environment

The control environment sets the tone of an organization, influencing the control
consciousness of its people. Factors that determine the control environment of a
local government are: the integrity, ethical values and competence of its people;
management’s philosophy and operating style; the way in which management assigns
authority and responsibility; the way management organizes and develops its people;
and the attention and direction provided by the governing board.

The control environment has a pervasive influence on all the decisions and activities of
an organization. A positive control environment is the foundation for all other standards
of internal control, providing discipline and structure. A common term in current
parlance is “tone at the top.” Management sets the tone for the control environment.
This is displayed by the policies they adopt, the organizational structure they impose,
how they assign authority and responsibility, hiring practices, the extent of involvement
they maintain in operations and the ethical behavior they exhibit. Employees are
also responsible for the control environment, but they generally take their lead from
management.

Internal Controls - 3
The governing board and other management personnel set the proper tone for the
control environment when they establish and effectively communicate a code of ethics
and written policies and procedures, behave in an ethical manner, observe the same
rules they expect everyone else to observe and require the appropriate standard of
conduct from everyone in the organization. Employees observe how management
conducts itself, and that conduct speaks more fluently than the written policies that
management expects employees to follow.

Accountability is a key element of the control environment. The control environment

is greatly influenced by the extent to which individuals recognize that they will be held
accountable.

Effective human resource policies and procedures can enhance a government’s

control environment. The policies and procedures enacted by a local government
may be determined by the size and complexity of the government’s operations. Such
policies and procedures are also subject to applicable laws, regulations and collective
bargaining agreements. Local officials should consider the following areas for human
resource policy development: hiring, orientation, training, evaluations, counseling,
promotions, compensation and disciplinary actions.

Governing boards should look at the complexity of their government’s operations and
decide which policies need to be adopted and the extent of those policies. Policies
should not exist in a manager’s head. They should be in writing and made available
to all employees. Governing boards should take an inventory of their written policies
and consider the following questions: What are the current policies? Have they
been reviewed for reasonableness under current conditions? Are they available to all
employees? Do they cover all the needed areas of operations?

Some areas where written guidance could be developed to enhance the control
environment are:

• Code of ethics - make sure the adopted code of ethics is in conformance with
applicable statutes and clearly defines the standard of conduct expected of
officers and employees.

• Policies and procedures manual - that addresses significant activities and unique
issues, employee responsibilities, limits to authority, performance standards,
control procedures and reporting relationships.

• Job descriptions - that identify competence levels for knowledge, skills and
experience.

• Personnel policies - that set forth hours, leave time, benefits, equal opportunity,
and disciplinary procedures.

4 - Chapter 14: Local Government Management Guide

 • Performance evaluations - with regularly scheduled evaluations and guidance on
how to maximize the benefits of evaluations.

Points to Remember

Setting the proper control environment for a local government is crucial to the
effective implementation of all the other elements of internal control. Staff will
take their cue from the attitude and example displayed by management. If
employees see officials or department heads abusing their authority or not being
held to the appropriate policies, as are employees, then they may also begin
abusing the policies. As the old saying goes “Actions speak louder than words.”
Management must communicate its support for internal Controls to all levels of
staff within the organization. The control Environment is enhanced by written
policies governing employee activities that are communicated to employees and
acted upon.

Risk Assessment

Risk assessment is the identification of factors or conditions that threaten the

achievement of management’s objectives. It involves identifying significant risks to the
effectiveness and efficiency of operations, to the reliability of financial reporting, and
to compliance with applicable laws and regulations. Every local government faces
a variety of risks from external and internal sources that must be assessed. Risk
assessment also involves forming a basis for determining how the risks should be
managed. Because conditions impacting operations will continue to change, processes
are needed to identify and deal with the special risks associated with change.

The nature of some activities or assets makes them a greater risk than others. This is
often referred to as inherent risk. The increased inherent risk of these items needs to
be considered in assessing risk. Some characteristics that generally increase inherent
risk are:

• Opportunity - The more liquid an asset, or the less centralized an operation, the
greater the potential risk of fraudulent activity.

• New Activities - The newer the activity, the greater the risk that processes and
procedures may not be as well understood as routine activities. Therefore, there
is greater risk that objectives in these areas might not be realized.

• Complexity - The more complex an activity is, the greater the possibility of error
in performing the operations. Complex legal requirements governing a specific
program may increase the likelihood that compliance issues may arise.

Internal Controls - 5
Another element impacting on the ability to achieve objectives is the element of change.
We live in a rapidly changing society, and in order to meet taxpayer expectations, local
managers may need to change the way their governments operate. However, these
changes may present to managers unique risk problems that need to be identified and
addressed. Some risk elements of change are:

• Changes in Operating Environment - This can be brought about by changes in

the regulations that affect a program (external) or by replacing a manual system
with a computerized system (internal). Both changes impact the environment
under which the employees are working and may affect the ability to achieve
objectives.

• Changes in Personnel - Staff turnover can impact achievement of objectives

because it takes time for new employees to achieve the proficiency of the
employee they are replacing. Frequent staff turnover may be indicative of other
problems.

• Rapid Growth - Rapid increases in the number of businesses and/or residents

moving into a municipality can mean greater demands for services. Such
demands can impact the ability of a department to achieve its objectives. They
may even necessitate reevaluating the objectives of a department.

The process of risk assessment consists of trying to identify those events that could
impact the ability of the department to achieve its objectives. Risk assessment consists
of asking a series of questions and then answering those questions. Questions that
might be asked in a typical risk assessment are:

• What are our primary objectives?

• What must go right for us to succeed?

• What events can prevent us from achieving these objectives?

• Which of our assets are most liquid or desirable and, therefore, in most
need of protection?

• What information do we rely on to achieve our objectives? What are the threats
to our obtaining this information?

• What typical decisions are made in our operations? Which of these decisions
require the most judgment?

• What are our most complex activities?

• What laws and regulations significantly impact our operations?

6 - Chapter 14: Local Government Management Guide

 • What potential legal liabilities can result from our operations?

• Where do we spend most of our money?

• What changes do we see on the horizon?

It is best if the risk assessment is conducted at the department level and, within the
department, at the activity or process level. Remember to focus efforts on those risks
that are significant to the achievement of key objectives and that have a reasonable
likelihood of occurrence. The risk assessment process is facilitated when there is a
written mission statement and written goals and objectives.

Results of the above questions can be entered into the following table:

Departmental Risks to Achieving Controls In Control Corrective

Objectives Objectives Place Deficiencies Action

List the The risks should be For each risk, Identify where List the
objectives for associated with an identify the current corrective
the objective. There are a controls that controls are action
department. multitude of risks that could exist to either ineffective and to be
be identified with each prevent the plan to taken.
objective. It is best to focus risk from improve the
on control efforts that are occurring, or effectiveness
significant and have a help detect the of the controls.
reasonable likelihood of occurrence of
occurrence. Therefore, the risk.
both of these elements
should be considered when
assessing risk.
Example:
Complete Inability to identify vendor Vendor Services and Establish effective
year-end payables at year end statements goods delivered communication
accounting received at but not yet billed process to ensure
records and finance office, by vendor may department heads
file annual compared with not be included in notify finance office
report in time invoices and payables. of all vendor goods
to meet receiving and services
legislative documents, received as of year-
deadline. totaled and end.
posted.

As shown in the above table, the risks are related to the objectives, the controls
address the risks, any control deficiencies are identified and corrective action is
planned. This process of risk assessment helps managers develop a plan to improve
the internal controls of local operations. For the example given, the solution may be to
establish a process for all departments to ensure that delivered goods and services are
identified and appropriate information is promptly communicated to the finance office.
This process could also include developing forms and procedures to document and
communicate the needed information.

Internal Controls - 7
Control Activities

Control activities are the policies and procedures that help ensure that management
directives are carried out. They help ensure that necessary actions are taken to address
significant risks to the achievement of the entity’s objectives. COSO identifies a range
of control activities including approvals, authorizations, verifications, reconciliations, and
reviews of operating performance, security of assets and segregation of duties.

Control activities may:

• provide guidance to employees to help achieve the desired objectives of the

department (directive controls),

• be designed to deter the occurrence of undesirable events (preventive controls),

or

• identify when undesirable events do occur (detective controls).

When undesirable events do occur, flaws in the process should be identified, and action
to correct the problem should be initiated. Such activities are called corrective control
activities.

Through authorization, management identifies who is permitted to execute specific

transactions, and establishes parameters within which they must operate. Some
activities may need supervisory approval before they can be executed. The supervisor’s
approval should be based on some form of verification that the activity is in accordance
with policies and procedures. In this regard, supervisory approval also serves as a
monitoring device, ensuring that policies are being followed. Since these controls are
designed to control undesirable events, they would be considered preventive controls.
They are primarily designed to prevent mistakes.

Another preventive control is segregation of duties. Segregation of duties is primarily

designed to prevent fraudulent activity from occurring and remaining undetected.
Management can achieve this control objective by dividing work among two or more
people. Under a proper segregation of duties, no one person should control all the key
aspects of a transaction or event, and the functions performed by one person may be
checked by the functions performed by the other. In general, the transaction approval
function, the accounting/reconciliation function and the asset custody function should
be separated among employees whenever possible. In some cases, segregation is
mandated by statute. When these functions are not or cannot be separated, then a
detailed supervisory review of related activities should be undertaken by managers or
officials as a compensatory control.

8 - Chapter 14: Local Government Management Guide

Some examples of detective controls are reconciliations and reviews of performance.
Under reconciliations, an employee relates different sets of data to one another,
identifies and investigates differences, and takes corrective action where necessary. It
is important that the person conducting the reconciliations understands the importance
of the process and the implications of errors identified. Examples of reconciliations
are comparisons of cash amounts per general ledger to cash balances per bank
statements, receivable amounts per general ledger control accounts to related
subsidiary account totals, and physical counts of fixed assets to amounts recorded on
accounting records. Under reviews of performance, management compares information
about current performance with budgets, prior periods, or other benchmarks to measure
the extent to which goals and objectives are being met. Reasons for variances are
investigated to determine what corrective actions are necessary.

Some control activities may provide information that other control activities are properly
working or that additional guidance is needed to improve the operations of those
control activities. For example, employees may be authorized to initiate transactions
up to a certain limit and need approval for transactions in excess of the stated limit. In
approving transactions above the stated limit, a supervisor may notice that the process
either is or is not in accordance with departmental policies. This provides the supervisor
with information regarding the transactions being executed by the employees, and
whether additional training or guidance is necessary to have the process function
properly.

In general, to help ensure that control activities are most effective, supervisory
approvals and authorizations should require:

• Written Guidance
• Limits to Authority
• Supporting Documentation

In addition, it is important for supervisors to take the approval function seriously. This
requires that they:

• Actively Examine Documentation

• Question Unusual Items
• Never Sign Blank Forms

Sometimes it is not possible to completely control the risks that a local government
faces. When such risks are insignificant or not very likely to occur, and the cost to
reduce the risks further is prohibitive, the local government managers may decide
to simply accept the risk. Before this decision is made, the local officials should be
sure that they have adequately defined the risk, its likelihood of occurring and the
potential costs if the event does occur. Another option to local government officials

Internal Controls - 9
is to pass the risk on to someone else. This is sometimes called “insurance.” When
local governments purchase liability insurance, for example, they are transferring some
or most of the costs that would be incurred if certain risk events actually occur to the
insurance company.

Points to Remember

Control activities should be designed so as to limit the effects of risks identified

during the risk assessment process. Some risks may be so remote or the effects
of such risks so minor that managers may decide to simply accept those risks
without developing controls to address them. Some risks, if they occur, may be
so significant that, even though remote, they need to be limited. For these risks,
local managers may decide to purchase insurance. For all other risks (and even
for risks that are insured) manager should implement controls that will reduce the
likelihood of such risks occurring or reduce the impact if suck risks do occur.

Information and Communication

In order for risks to be controlled, it is imperative that there be a sound communication

process that captures the necessary information and then provides that information
to all who have need of that information. Since controlling risk is the responsibility of
all those involved in the various processes of the municipality, the information about
identified risks and the means of controlling those risks need to be communicated
to everyone involved. It is important that the communication system allows for
communication to flow in all directions throughout the organization to lessen the
chance of misunderstandings. Problems may be identified at the lower levels of the
organization and if the information is not allowed to flow back up to those who are
responsible for making corrections, those managers will not receive needed information
on time.

The executive summary to COSO states, “Pertinent information must be identified,

captured and communicated in a form and timeframe that enable people to carry out
their responsibilities. Information systems produce reports containing operational,
financial and compliance-related information that make it possible to run and control the
business.” It goes on to state that information must flow throughout the organization
so that individuals understand their own role in the internal control system and how
their work relates to the work of others. Effective communication also must include
communication with customers, suppliers and regulators.

10 - Chapter 14: Local Government Management Guide

An effective information and communication system should do the following:

• Produce the financial, operational and compliance reports needed to run the
municipality, enable informed business decision-making, and issue reliable
external reports.

• Enable employees to capture and exchange the information they need to

conduct, manage and control operations.

• Identify, capture and communicate pertinent information in a form that enables

people to effectively carry out their responsibilities.

• Enable communication to flow in all directions throughout the organization.

• Establish effective communication with external parties.

As part of the information and communication system, it is important to inform all

employees that control responsibilities are to be taken seriously. Each employee should
understand his or her role in the internal control system, as well as how their individual
activities relate to the work of others. Employees also need to know that they have a
responsibility to communicate problems they notice in the performance of their duties.

Information about the policies and procedures to be followed by employees flows

down through the organization. Information about daily activities may flow across
the organizations from employees that develop the information to those that need the
information. Information about problems noted in daily activities needs to flow upward
through the organization to those in a position to initiate corrective action.

Monitoring

Monitoring is a process that assesses the quality of the internal control system over
time. As indicated above, there are specific control procedures that are established as
part of the system of internal control. Monitoring helps confirm that those procedures
are actually being followed. Monitoring would also help ensure that deficiencies are
being communicated as needed. Also, with time, new risks may arise or processes
change that impact on the exposure of the local government. Monitoring helps to
identify where new risks arise and may reveal a need for new processes. For example,
changing from a manual accounting system to a computerized accounting system will
expose the organization to new risks that will need to be addressed.

Internal Controls - 11
One method of monitoring the functioning of internal controls is performance measures.
Since internal controls are established to provide reasonable assurance regarding
the achievement of objectives, then using performance measures to determine the
extent to which the government is achieving its objectives is a useful way to monitor
the effectiveness of the internal controls of a local government. When performance
measure results indicate unsatisfactory results, managers (and staff) should identify
where changes can be made to improve the outcomes.

Another way to monitor internal controls is to test the operations of the local government
to determine if procedures are being applied as designed. This should be an ongoing
process. Some larger units of government may find it cost-effective to institute an
internal audit function to help monitor the functioning of internal controls and the
achievement of established objectives.

Soft Controls

An effective system of internal controls addresses each of the components discussed

above. Policies and procedures developed for control environment, risk assessment,
control activities, information and communication, and monitoring often consist of
hard controls that are easily identified, assessed and documented. The influence of
these policies and procedures should also be identified, assessed and documented.
The effect that policies and procedures have on the people involved can result in a
secondary set of soft controls, equally important as the paper and ink hard controls.

Soft controls are those controls that involve attitudes and perceptions and
competencies. By their nature, they are less apparent and more difficult to measure
and assess. Such attributes as trust, strong leadership, openness and high ethical
standards are just as essential to the effective operation of local governments and
should not be overlooked or underestimated when developing or enhancing your
internal control system.

To evaluate these types of controls, managers should identify and agree on criteria for
evaluation. Through self-assessments, managers should ask themselves how they
assure themselves that objectives are being met, that policies and procedures are
followed, that legal compliance is met, etc. Through surveys, managers should ask
employees for confirming feedback. Results of soft controls should be evaluated to
provide further evidence of control effectiveness. When weaknesses are identified,
managers should focus on improving the underlying processes. Any improvements
should be discussed with all the people involved.

12 - Chapter 14: Local Government Management Guide

Conclusion

Internal controls are essential to the effective operation of local governments. Internal
controls are needed to help local officials achieve their objectives in a cost-effective
manner. Cost-effectiveness is an important concept in internal controls. In developing
the internal controls for a local government, it is important to identify the benefits to
be achieved by particular controls and to compare those benefits with the costs of
implementing proposed controls.

Actively thinking about the government’s objectives, the risks involved in achieving
those objectives and the means of controlling those risks enhances management’s
ability to achieve key objectives at minimum cost to the taxpayers. Communicating
the government’s objectives and values (and providing all employees a mechanism to
communicate throughout the organization) provides clear guidance to employees on
expected outcomes. Effective communication also provides managers with access to
the information that they need to achieve the goals established for the local government.
Continuously monitoring programs enables managers to keep current on the functioning
of their government’s operations towards those goals.

II. Additional Resources

Web sites, questionnaires and a checklist (matrix) have been included to provide
additional information and guidance.

Web Sites:

Standards for Internal Control in New York State Government:

http://www.osc.state.ny.us/audits/audits/controls/standards.htm

The following web site may contain information that could be helpful in developing
and implementing effective internal controls. However, some of the suggestions and
procedures identified by this site may not be in conformance with laws and regulations
in New York State. Consequently, any actions taken to implement some of the
suggestions and procedures should be reviewed for applicability in New York State.

Control Self-Assessment Workshop Participant’s Manual, The University of Texas Sys-

tem from web site http://www.utsystem.edu/aud/
(Click on “Audit Links,” “Compliance and Risk” then “Control Self-Assessment”)

Internal Controls - 13
Questionnaires:

Internal control questionnaires have been provided for the following key areas:
accounting records, cash receipts, cash disbursements, cash management, purchasing
and personnel.

Accounting Records: Segregation of Duties

It is important to spread certain duties among several officers or employees to reduce

the risk of fraudulent activities. Where duties are not required to be segregated, or
cannot be segregated, it is important to have increased supervisory review of activities.

Question Yes No

Are the functions of maintaining the accounting records, physical custody of

assets, maintaining subsidiary records and reconciling subsidiary records to
control accounts spread among different people?

List the names of the individuals responsible for each of the above functions:
Maintaining Accounting Records:
Physical Custody of Assets (May be several individuals):
Maintaining Subsidiary Accounts (May be several individuals):
Reconciling Controls to Subsidiaries:

For computerized accounting records, are there controls to limit access to

computers, programs, and input?
In a mainframe environment, access to the computer should be limited and
programmers should not be running the programs they develop. For a PC
environment, access to individual computers should be controlled by passwords,
access to specific programs should be limited to certain individuals either through
passwords or with “read only access,” and input controls should limit who is
authorized to use application programs to enter data.

Where duties are not segregated among different people, indicate the supervisory review (of activities) in
place to limit risk:

What additional steps are planned to address weaknesses indicated by a lack of segregation of duties?

14 - Chapter 14: Local Government Management Guide

Accounting Records: Timeliness and Usefulness

Accounting records provide information needed to manage the finances of the

local government. In order for this information to be useful, it must provide needed
information that helps managers identify potential problems within a timeframe that
allows for corrective action before any problems worsen.

Question Yes No

Are the accounting records up-to-date?

This means that receipts and disbursements are recorded daily; that ledger
accounts are posted either simultaneously with other records (as in most
computer operations) or within a day or two of the end of the month, that
controls and subsidiaries are reconciled monthly, and that errors are
identified and corrected immediately.

Are timely reports issued?

If the accounting records are properly designed, reports should flow easily
from them. Annual reports ideally should be completed within a month of
the completion of the fiscal year; budgetary reports should be available
within days of the completion of the month. Where this is not possible,
causes for delays should be identified and corrected.

What accounting records are not up to date?

What reports are not issued in a timely fashion?

What additional steps are planned to address weaknesses indicated by the

lack of timely accounting records and useful reports?

Internal Controls - 15
Cash Receipts: Segregation of Duties

It is important to spread certain duties among several employees to reduce the risk of
fraudulent activities. Where duties are not required by law to be segregated, or cannot
be segregated, it is important to have increased supervisory review of activities.

Question Yes No

Are the functions of collecting cash, recording cash receipts in

the accounting records, verifying daily receipt accountability, and
reconciling bank accounts spread among different people?

List the names of the individuals responsible for each of the above functions:
Collecting Cash
Recording Cash Receipts in Accounting Records
Verifying Daily Receipt Accountability
Reconciling Bank Accounts

Where duties are not segregated among different people, indicate the supervisory review (of
activities) in place to limit risk:

What additional steps are planned to address weaknesses indicated by a lack of segregation
of duties?

16 - Chapter 14: Local Government Management Guide

Cash Receipts: Accountability

Individuals collecting cash should be held accountable for the transactions they
handle. It should be possible to determine the amount of cash for which each person is
responsible at any point in time.

Question Yes No

Does each person that collects cash have his own cash box that is
counted at the end of the day by a supervisor?

If the answer to the above question is ‘no,’ how is individual accountability determined for
daily collections?

What additional steps are necessary to adequately assign accountability to employees

for cash collections?

Internal Controls - 17
Cash Receipts: Verifiability

It should be possible to verify the amounts each person is responsible for collecting
each day. This should be compared to the amounts that are turned in. Amounts
by which the collecting official or employee is over or short should be determined.
Amounts deposited in the appropriate bank accounts should agree with daily receipts
recorded in the accounting records.
Question Yes No

Are amounts to be collected verifiable from:

Press-numbered licenses or permits?
Amounts billed to customers (for user charges)?
Press-numbered duplicate receipts?

Where amounts are not verifiable from some source, how does the local government determine the
amounts for which each person collecting cash is responsible?

What additional steps are planned to address weaknesses indicated by an inability to verify amounts for
which each person collecting cash is responsible?

Question Yes No

Are deposits made promptly?

Do deposits include all receipts from the time of the prior

deposit?

Do deposit slips include details of all checks deposited?

Depositing receipts promptly reduces risks from loss due to misplacement. Including all receipts from the
time of the prior deposit makes it possible to tie amounts deposited to amounts recorded in accounting
records. Listing details of checks deposited makes it possible to compare deposits with details of receipts,
thereby identifying potential manipulations of cash receipts.

If the answer is ‘no’ to any of the above three questions, how are the risks associated with those answers
controlled?

What additional steps are necessary to adequately control verifiability of cash receipts?

18 - Chapter 14: Local Government Management Guide

Cash Disbursements: Segregation of Duties

It is important to spread certain duties among several officers and employees to reduce
the risk of fraudulent activities. Where duties are not required by law to be segregated,
or cannot be segregated, it is important to have increased supervisory review of

Question Yes No

Are the functions of writing checks, recording checks in the accounting

records, distributing checks and reconciling bank accounts spread
among different people?

List the names of the individuals responsible for each of the above functions:
Writing Checks:
Recording Checks in Accounting Records:
Distributing Checks:
Reconciling Bank Accounts:

Where duties are not segregated among different people, indicate the supervisory review (of
activities) in place to limit risk:

Internal Controls - 19
Cash Management:

The fundamental principle guiding the deposit and investment of public monies is that
an investment program should meet four elements: legality, safety, liquidity and
yield. Each local government is required to develop policies and procedures that are
in compliance with Section 39 of the General Municipal Law, and communicate those
policies and procedures to affected staff. The policies and procedures should consider
the four elements shown above.

Question Yes No

Has the local government adopted an investment policy?

Are procedures governing the investment function set down in writing?

Are those involved in the investment function aware of the policies and
procedures?

(This question deals with how well these elements are communicated
to employees.)

Are deposits in excess of FDIC coverage secured by a pledge of securities,

an eligible surety bond, or an eligible letter of credit in proper amounts?

Are securities pledged to secure deposits covered by security and custodial

agreements?

Are cash flow projections used to determine amounts and time periods for
investments?

20 - Chapter 14: Local Government Management Guide

Purchasing:

Purchasing here covers the decisions and processes involved in obtaining the goods
and services necessary for operating the local government. The process generally
begins with the initiation of a purchase requisition by an authorized officer or employee
who needs the goods or services and ends with the payment for the goods and services
received. Controls in purchasing should be concerned with acquiring quality goods and
services in the amounts needed to carry on the functions of the government at the best
possible price, and in conformance with all pertinent laws and policies.

Purchasing is limited to authorized officers and employees to help ensure that only
the goods and services needed are acquired, and that they are used for municipal
purposes. Larger local governments may have a centralized purchasing department to
enhance the acquisition of goods and services at favorable prices. Routine purchases
may not be subject to the same authorization levels as unusual purchases or purchases
of more expensive items. A local government’s purchasing policy will spell out the
authorization requirements for various levels of purchasing.

Larger units of government may also have a central receiving unit to receive goods
ordered. This provides for additional segregation of duties.

Policies and Procedures:

Section 104-b of the General Municipal Law requires local governments to adopt
written policies and procedures governing the procurement of goods and services
when competitive bidding is not required. This statute also requires local government
personnel to document certain purchase related decisions. In addition to provisions
to ensure compliance with Section 104-b, the adopted policies and procedures should
identify authorization limits, the use of requisitions and purchase orders, and the
process to follow in purchasing goods and services. For additional information on
Section 104-b and guidance on purchasing goods and services, see our chapter on
purchasing.
Question Yes No

Has the local government adopted a purchasing policy?

Are procedures governing the purchasing function set down in writing?

Are those involved in the purchasing function aware of the purchasing

policies and procedures?

(This question deals with how well these elements are communicated
to employees.)

Internal Controls - 21
Purchasing: Segregation of Duties

It is important to spread certain duties among several employees to reduce the risk of
fraudulent activities. Where duties are not required by law to be segregated, or cannot
be segregated, it is important to have increased supervisory review of activities.

Question Yes No

Are the functions of requesting goods and services, authorizing

purchase orders, receiving goods and approving invoices for payment
spread among different individuals?

List the names of the individuals responsible for each of the above functions:
Requesting goods and services:
Issuing purchase orders:
Receiving goods and services:
Approving invoices for payment:

Where duties are not segregated among different people, indicate the supervisory review (of
activities) in place to limit risk:

What additional steps are planned to address weaknesses indicated by a lack of segregation of
duties?

22 - Chapter 14: Local Government Management Guide

Purchasing: Verifiability

The purchasing process should make it possible to verify the orders placed to date, and
the amount of orders remaining open at given dates. It should also enable the matching
of goods received with purchase orders placed. In municipalities, a good purchasing
system should include the verification of available appropriations before orders are
placed.
Question Yes No

Are purchase orders used for all purchases?

Are purchase orders pre-numbered?

Is availability of appropriations verified prior to issuing purchase orders?

Are purchase orders written from requisitions from authorized individuals?

Does someone approve the condition of goods received and compare

amounts received with receiving slips?

Are receiving slips signed and sent to the person responsible for approving
payment on invoices?

Are receiving slips matched to purchase orders to verify that only goods
ordered are received, and that amounts received agree with amounts
ordered?

Are receiving slips matched to invoices to verify that only amounts received
are being billed?

Are unit prices on an invoice matched to the purchase order to verify that
billed amounts agree with purchase orders?

Is the mathematical accuracy of the invoice verified?

(Consists of multiplying unit price by number of units received and adding
total column)

If there are additional controls over the purchasing function to ensure that purchases are controlled and that
claims are only paid for goods and services received for municipal purposes, indicate them here:

What additional steps are planned to address risks involved in the purchasing function?

Internal Controls - 23
Personnel:

Personnel here covers the decisions and processes involved in identifying and hiring the
staff necessary for operating the local government. Local governments provide services
to constituents and those services require the employment of staff. Controls in this area
should deal with identifying staff needs, hiring qualified personnel, supervising work and
payment of compensation.

Question Yes No

Has the local government adopted a personnel policy?

Has the local government adopted a code of ethics meeting the

requirements of Section 806 of the General Municipal Law?

Are all employees provided with a copy of the personnel policy and the
code of ethics?

Segregation of Duties:

It is important to spread certain duties among several employees to reduce the risk of
fraudulent activities. Where duties are not required by law to be segregated, or cannot
be segregated, it is important to have increased supervisory review of activities.
Question Yes No

Are the functions of hiring staff, approving payroll records, preparing

payrolls, preparing payroll checks and distributing payroll checks
segregated?

List the names of the individuals responsible for each of the above functions:
Hiring Employees:
Approving Payroll Input Sheets:
Preparing Payrolls:
Preparing Payroll Checks:
Distributing Payroll Checks:

Where duties are not segregated among different people, indicate the supervisory review (of
activities) in place to limit risk:

What additional steps are planned to address weaknesses indicated by a lack of segregation of
duties?

24 - Chapter 14: Local Government Management Guide

Personnel: Verifiability

It is important to be able to determine the employees hired and the amounts paid
to those employees for services provided. The payroll function should enable the
determination of hours worked, leave used, leave accrued, and salary rates.

Question Yes No

Are policies in place for justifying need for staff hired?

(This may include budgetary authorization for positions.)

Is employee attendance documented?

Is excessive employee absence investigated?

Is overtime controlled?

Are records maintained of accumulated leave time?

Do time cards or some other form of attendance verification support

payrolls?

Are amounts paid employees determined by either properly approved

contracts or other approved actions?
(This may include approval of the budget and/or the passage of a
resolution).

Are the above functions subject to collective bargaining agreements?

Internal Controls - 25
Standards for Internal Control (Matrix)

20 Dimensions of an Organization
Effective Comply
Efficient Safeguard with Laws Reliable
Operations Assets and Rules Information
Control
Environment 1 2 3 4
Communication
5 6 7 8
Assessing and
Managing Risk 9 10 11 12
Control
Activities 13 14 15 16
Monitoring 17 18 19 20
Developed by the New York State Office of the State Comptroller
Office of Internal Control Management
February 1999
In an effort to assist managers in defining the appropriate scope and range of
an effective system of internal control, the State Comptroller’s Office of Internal
Control Management has developed a matrix that delineates the dimensions of an
organization. The matrix is based on the “Standards for Internal Control in New York
State Government” issued by the Office of the State Comptroller. By combining the
five components and four purposes of internal control, as identified in the standards, a
matrix is formed. The points of intersection of the components and purposes create 20
Dimensions of an Organization.

Within each dimension there are many issues that should be addressed to help
ensure there is a sound system of internal control. Below are the 20 Dimensions along
with examples of issues to be considered within each dimension. This listing is not
exhaustive, but provides a starting point in the process of identifying all of the pertinent
issues within each dimension. It should be noted that the dimensions are not limited to
the 20 identified herein. For example, additional components, supporting activities or
purposes that may be further identified by management could be added to expand the
matrix.

This listing can be used (after all additional issues are identified and added to the
listing): a) as a checklist to determine which issues are true about your organization
and which issues are false and, therefore, may require attention; b) as the focus of a
meeting or task force that is charged with assessing the effectiveness of a dimension
and/or issue; or c) as a source for identifying issues to be included in a formal
evaluation of a system of internal control.

Note: The parenthetical references following each dimension heading are the attributes
of the purpose of internal control that is being considered.

26 - Chapter 14: Local Government Management Guide

Dimension Issues

1. Control Environment: Operations (Effective, Efficient, Orderly, High

Quality)
♦ Management and employees understand and reflect the agency’s
values.
♦ Employees understand organizational structure and plans, their place
within the structure and how their responsibilities contribute to the
overall plan.
♦ Employees understand their job descriptions and responsibilities.
♦ Competent staff is hired in accordance with legal requirements and
appropriate hiring practices.
♦ Management encourages quality services to customers.
♦ Employees understand who their customers are and the need to
provide them with quality services.
♦ Employees understand the purpose of all controls within their areas of
responsibility.
♦ Management advocates and supports controls and discourages
overriding controls.
♦ Employee performance programs include evaluation of compliance
with internal control objectives.
♦ Employee morale is established and maintained at an appropriate
level.
♦ Employees are rewarded for identifying opportunities for improving
operations.

2. Control Environment: Safeguard Assets (Human, Data, Equipment,

Property)

♦ Management practices encourage ethical, honest behavior by

employees.
♦ Management establishes and employees understand safety
regulations and procedures that ensure a safe work environment.
♦ Management establishes and employees understand and comply with
control activities that safeguard assets.
♦ Management and employees are intolerant of waste, mismanagement
and abuse of assets.
♦ Management and employees are alert to new risks or changes in risk
that may threaten assets.
♦ Management promotes activities that discourage fraud.

(continued on following page)

Internal Controls - 27
 ♦ Management supports programs that promote employee well being.
♦ Employees understand and appreciate the importance of the special
procedures established for the retention, use and disposal of
confidential and sensitive information, subject to legal requirements.
♦ Management creates an atmosphere that enables the reporting of
fraud or mismanagement of assets.
♦ Management establishes monitoring processes to deter misuse or loss
of assets.

3. Control Environment: Compliance (Laws, Regulations, Contracts, Policies and

Procedures)

♦ Management promotes compliance with all applicable laws,

regulations, contracts, policies and procedures.
♦ Employees understand all laws, regulations, contracts, policies
and procedures that are relevant to their responsibilities and the
ramifications of not complying with them.
♦ Employees understand and comply with a comprehensive code of eth-
ics.
♦ Management establishes processes to monitor compliance with all
applicable laws, regulations, contracts, policies and procedures.
♦ Management creates an atmosphere that enables the reporting
of noncompliance with laws, regulations, contracts, policies and
procedures.
♦ Management ensures appropriate and consistent actions towards
those who fail to comply with laws, regulations, contracts, policies or
procedures subject to collective bargaining agreement provisions.

4. Control Environment: Information (Reliable, Accurate, Timely)

♦ An atmosphere exists that promotes the accuracy and integrity of

information generated in the unit.
♦ Resources are provided to develop and maintain all necessary
financial and management data.
♦ Realistic time frames are established for processing data.
♦ Management requires sufficient levels of reporting information for
review and analysis.
♦ Management demonstrates to employees the value of the information
the employees have developed.
♦ An atmosphere exists that allows the communication of unfavorable
information without fear.

28 - Chapter 14: Local Government Management Guide

5. Communication: Operations (Effective, Efficient, Orderly, High Quality)

♦ The organization’s mission, objectives and goals are clearly

communicated to employees.
♦ Organizational structure and plans are clearly communicated to
employees.
♦ Job descriptions and responsibilities are clearly communicated to
employees.
♦ All relevant control activities and their purposes are clearly communicated to
employees.
♦ Values of the organization are clearly communicated to employees.
♦ Value of the customer and the need for quality products/services are
clearly communicated to employees.
♦ Risk tolerance levels are clearly communicated to the organization’s
decision-makers and those responsible for managing risk.
♦ Policies and procedures are established and communicated.
♦ Open lines of communication exist.
♦ A communication network is established that ensures everyone is
given the information needed to satisfactorily perform his/her function.
♦ A process is established that encourages and enables employees to
suggest opportunities for improvement.
♦ Clear positive and negative feedback are provided to employees.

6. Communication: Safeguard Assets (Human, Data, Equipment, Property)

♦ The conduct expected from employees is clearly communicated to

them.
♦ Employee safety regulations and procedures are clearly
communicated.
♦ Responsibility for control activities and the purpose of the control
activities that safeguard assets are clearly communicated to all who
need to know.
♦ A network is established for reporting changes in risks and new risks
that may threaten assets.
♦ Lines of communication are established that report breakdowns in
control activities that safeguard assets.
♦ Procedures are established for communicating inappropriate use of
assets.

Internal Controls - 29
7. Communication: Compliance (Laws, Regulations, Contracts, Policies and
Procedures)

♦ All relevant laws, regulations, contracts, policies and procedures are

clearly communicated.
♦ The purpose and assignment of responsibility for control activities
established to help ensure compliance with laws, regulations, contracts
and policies and procedures are clearly communicated.
♦ Ramifications for violations are clearly communicated.
♦ A communication network is established that ensures notification of
changes in laws, regulations, contracts, policies and procedures.

8. Communication: Information (Reliable, Accurate, Timely)

♦ A communication network is established that provides the most current

and accurate information available for managing operations and
assessing and managing risk.
♦ Communication networks incorporate all necessary control activities to
ensure the integrity of information.
♦ A method is in place for identifying and communicating confidential and
sensitive information.
♦ The networks, mediums and formats selected for communicating
information are appropriate to the content of the information and the
audience to whom the information is being communicated.

9. Assessing and Managing Risk: Operations (Effective, Efficient, Orderly, High

Quality)

♦ All relevant objectives (as outlined in plans) are identified.

♦ Risk tolerance levels are determined.
♦ All relevant risks that threaten achievement of objectives are identified.
♦ Risks and risk tolerance levels are understood by appropriate staff.
♦ The impact and likelihood of the risks occurring are determined.
♦ Determinations are made regarding whether to avoid, accept or reduce
each identified risk.
♦ Mechanisms to identify and address changes in risk exposure are put
in place.
♦ As changes in risk occur, determinations are made regarding whether
there is a need to add or delete control activities.
♦ Appropriate approvals are obtained for risks that are accepted.

30 - Chapter 14: Local Government Management Guide

10. Assessing and Managing Risk: Safeguard Assets (Human, Data, Equipment,
Property)

♦ Data, equipment and property assets are inventoried and valuated.

♦ The risk of loss of key personnel is assessed and addressed.
♦ Risks that threaten assets are identified and assessed.
♦ Plans to manage (i.e. avoid, accept or reduce) risks that threaten
assets are developed.
♦ A mechanism is in place to identify and address changes in risks as
changes in assets occur.
♦ Determinations are made regarding the need to add or delete control
activities that safeguard assets as changes in assets cause changes in
risk exposure.
♦ Appropriate approvals are obtained for accepting risks that threaten
assets.

11. Assessing and Managing Risk: Compliance (Laws, Regulations, Contracts,

Policies and Procedures)

♦ The risk of noncompliance with laws, regulations, contracts, policies

and procedures is assessed.
♦ Plans are developed that manage risk and help ensure compliance with
laws, regulations, contracts, policies and procedures.
♦ A process is established to identify changes in laws, regulations,
contracts, policies and procedures.
♦ A mechanism is in place that helps ensure reassessment of risks that
change as a result of changes in laws, regulations, contracts, policies
and procedures.
♦ Changes in risk resulting from changes in laws, regulations, contracts,
policies and procedures are adequately managed.
♦ Policies and procedures are modified to address new risks or changes
in risk.

12. Assessing and Managing Risk: Information (Reliable, Accurate, Timely)

♦ Risk assessment and management are based on the most current and
reliable information.
♦ A process is established for capturing information needed to effectively
assess and manage risk.
♦ A formal process is established for communicating new risks or
changes in existing risk and risk tolerance levels.

Internal Controls - 31
13. Control Activities: Operations (Effective, Efficient, Orderly, High Quality)

♦ Control activities provide a reasonable assurance the objectives of the

operation will be accomplished.
♦ Cost of the control activity is less than the cost of not accomplishing
the objective.
♦ A control activity portfolio efficiently reduces risk to an acceptable level.
♦ Control activities are considered, designed and implemented during
system/procedure development.
♦ Each control activity corresponds to a risk(s) that is being minimized.
♦ As systems/procedures change, the control portfolio is adjusted to
adequately manage any changes in risk and those control activities
which become obsolete are discontinued.
♦ Control activities are implemented that help ensure the production of
quality products and services.
♦ Industry practices are monitored regarding methods for ensuring the
quality of products and services. Applicable practices are instituted as
needed.

14. Control Activities: Safeguard Assets (Human, Data, Equipment, Property)

♦ Control activities reduce the risk to assets to an acceptable level.

♦ Cost of the control activity does not exceed the cost of losing the asset.
♦ Policies and procedures are established to address the safety and
well-being of employees.
♦ Devices are installed and functioning properly to help ensure the safety
and well-being of employees.
♦ Guidelines are established for identifying and monitoring confidential
and sensitive information.
♦ Appropriate procedures are established for the disposal of confidential
and sensitive information, subject to applicable legal requirements.
♦ Confidential and sensitive information on hard drives and other
magnetic mediums is erased or otherwise made unreadable prior to
disposal, subject to applicable legal requirements.
♦ The need to produce hard copy documents containing confidential and
sensitive information is assessed.
♦ Procedures and processes are established for the distribution of hard
copy documents containing confidential and sensitive information.
♦ Policies are established regarding to whom confidential and sensitive
information can be revealed.
♦ Access rights to confidential and sensitive information are assigned.

(continued on following page)

32 - Chapter 14: Local Government Management Guide

 ♦ Safety devices on equipment are functioning and are being used
properly by employees.
♦ Employees follow procedures to safeguard assets such as using and
protecting passwords, and locking file cabinets, offices and other areas
where data, equipment or property could be misused, damaged or
stolen.

15. Control Activities: Compliance (Laws, Regulations, Contracts, Policies and

Procedures)

♦ Control activities reduce the risk of noncompliance.

♦ Cost of the control activity does not exceed the cost of the risk of
noncompliance.
♦ Processes are in place to monitor the sources of legislation,
regulations, rulings, etc., that impact operations.
♦ Employees’ compliance with all applicable legislation, regulations, etc.,
is monitored.
♦ Policies and procedures are consistent in identifying and incorporating
control activities that respond to new legislation, regulations, contracts,
etc.
♦ Policies and procedures are established for communicating to
employees the results of noncompliance.

16. Control Activities: Information (Reliable, Accurate, Timely)

♦ Processes are in place to help ensure information is received on

time to be of value to decision making and accomplishment of
responsibilities.
♦ Processes are in place to help ensure accurate information is provided
and/or developed.
♦ Employees are encouraged to provide complete information regarding
their activities whenever information is requested of them.
♦ Distribution of sensitive and confidential information is limited to those
who need to know.
♦ Only necessary information is developed and disseminated.

Internal Controls - 33
17. Monitoring: Operations (Effective, Efficient, Orderly, High Quality)

♦ Goals are monitored and reported upon to ensure they are being attained and
an acceptable degree of progress is being made towards accomplishment of
objectives and the mission.
♦ Costs and the use of resources are monitored and reported upon to ensure
products and services are being produced efficiently.
♦ Monitoring and reporting systems are established to ensure quality products
and services are provided.
♦ Processes are in place that effectively monitor changes in risk and identify
opportunities for improvement.
♦ Appropriate levels of supervision are established for ongoing monitoring of
daily activities.
♦ Upper level management periodically reviews and evaluates the effectiveness
and efficiency of supervisory activities.
♦ Control activities are monitored to help ensure they are effective and continue
to function as designed.
♦ Implementation of improvements is monitored to help ensure improvements
are completed in a timely fashion.

18. Monitoring: Safeguard Assets (Human, Data, Equipment, Property)

♦ Processes are in place to monitor and respond to environmental conditions

that may threaten the safety of employees.
♦ Access and handling of confidential and sensitive information is monitored to
help protect its integrity and to prevent any loss or misuse of the information.
♦ The acquisition, deployment, use and disposal of all equipment and property
is monitored to prevent it from being lost or misused.
♦ Services are provided that monitor the well-being of employees.
♦ Security systems are in place to monitor the safety of employees, data,
equipment and property.
♦ Appropriate measures such as passwords, firewalls, and encryption are used
to help ensure the integrity of data.
♦ Equipment is tagged and periodically inventoried.

34 - Chapter 14: Local Government Management Guide

19. Monitoring: Compliance (Laws, Regulations, Contracts, Policies and
Procedures)

♦ Procedures are established to monitor laws, regulations, contracts, policies

and procedures to ensure notification and communication of any changes.
♦ The documentation of new policies and procedures is reviewed by
appropriate levels of management to ensure the policies and procedures
reflect all of the legal and contractual requirements of a process. Periodically,
policies and procedures are reviewed to ensure they remain current.
♦ Resolution of noncompliance with legal, contractual or procedural
requirements identified through self-evaluations or independent assessments
is monitored to help ensure timely and sufficient correction.
♦ Where appropriate, checklists are established that list the steps that need
to be followed to ensure all the legal and procedural requirements of a
transaction have been fulfilled.

20. Monitoring: Information (Reliable, Accurate, Timely)

♦ Monitoring is done to help ensure employees continually have sufficient and

necessary information needed to fulfill their responsibilities.
♦ Sufficient and appropriate reporting relationships exist throughout the
organization.
♦ Information regarding the achievement of goals and objectives is
communicated promptly to enable any necessary adjustments or reactions to
plans.
♦ New or significantly changed external circumstances impacting operations are
monitored to help ensure communication to those within the organization who
may need to address them.
♦ Issues potentially affecting employee morale are identified and monitored
and are addressed as necessary.

Internal Controls - 35
 OFFICE OF THE STATE COMPTROLLER
DIVISION OF LOCAL GOVERNMENT SERVICES
AND SCHOOL ACCOUNTABILITY
Steven J. Hancox, Deputy Comptroller (518) 474-4037
Cole H. Hickland, Director - Direct Services (518) 474-5480
Jack Dougherty, Director - Direct Services (518) 474-5480

NEED HELP?
TECHNICAL ASSISTANCE IS AVAILABLE AT THE FOLLOWING
REGIONAL OFFICES

BUFFALO REGIONAL OFFICE GLENS FALLS REGIONAL OFFICE

Robert Meller, Chief Examiner
Office of the State Comptroller
295 Main Street, Room 1050
Buffalo, New York 14203-2510
(716) 847-3647 Fax (716) 847-3643
Email: Muni-Buffalo@osc.state.ny.us
Karl Smoczynski, Chief Examiner
Office of the State Comptroller
One Broad Street Plaza
Glens Falls, New York 12801-4396
(518) 793-0057 Fax (518) 793-5797
Email: Muni-GlensFalls@osc.state.ny.us

Serving: Allegany, Cattaraugus, Chautauqua, Erie, Serving: Clinton, Essex, Franklin, Fulton, Hamilton,
Genesee, Niagara, Orleans, Wyoming counties Montgomery, Rensselaer, Saratoga, Warren, Washington
counties

ROCHESTER REGIONAL OFFICE ALBANY REGIONAL OFFICE

Edward V. Grant, Jr., Chief Examiner
Office of the State Comptroller
The Powers Building
16 West Main Street – Suite 522
Rochester, New York 14614-1608
(585) 454-2460 Fax (585) 454-3545
Email: Muni-Rochester@osc.state.ny.us
Serving: Cayuga, Chemung, Livingston, Monroe,
Ontario, Schuyler, Seneca, Steuben, Wayne, Yates
counties
Kenneth Madej, Chief Examiner
Office of the State Comptroller
22 Computer Drive West
Albany, New York 12205-1695
(518) 438-0093 Fax (518) 438-0367
Email: Muni-Albany@osc.state.ny.us
Serving: Albany, Columbia, Dutchess, Greene,
Schenectady, Ulster counties

SYRACUSE REGIONAL OFFICE HAUPPAUGE REGIONAL OFFICE

Eugene A. Camp, Chief Examiner
Office of the State Comptroller
State Office Building, Room 409
333 E. Washington Street
Syracuse, New York 13202-1428
(315) 428-4192 Fax (315) 426-2119
Email: Muni-Syracuse@osc.state.ny.us
Jeffrey P. Leonard, Chief Examiner
Office of the State Comptroller
NYS Office Building, Room 3A10
Veterans Memorial Highway
Hauppauge, New York 11788-5533
(631) 952-6534 Fax (631) 952-6530
Email: Muni-Hauppauge@osc.state.ny.us

Serving: Herkimer, Jefferson, Lewis, Madison, Serving: Nassau, Suffolk counties

Oneida, Onondaga, Oswego, St. Lawrence counties

BINGHAMTON REGIONAL OFFICE

Patrick Carbone, Chief Examiner
Office of the State Comptroller
State Office Building, Room 1702
44 Hawley Street
Binghamton, New York 13901-4417
(607) 721-8306 Fax (607) 721-8313
Email: Muni-Binghamton@osc.state.ny.us
NEWBURGH REGIONAL OFFICE
Christopher Ellis, Chief Examiner
Office of the State Comptroller
33 Airport Center Drive, Suite 103
New Windsor, New York 12553-4725
(845) 567-0858 Fax (845) 567-0080
Email: Muni-Newburgh@osc.state.ny.us

Serving: Broome, Chenango, Cortland, Delaware, Serving: Orange, Putnam, Rockland, Westchester
Otsego, Schoharie, Sullivan, Tioga, Tompkins counties
counties

36 - Chapter 14: Local Government Management Guide

 CENTRAL OFFICE LISTING
Division of Local Government
and School Accountability
Area code for the following is 518 unless otherwise specified

Executive .......................................................................................................................................474-4037
Steven J. Hancox, Deputy Comptroller
John C Traylor, Assistant Comptroller

Audits and Local Services 474-5404

(Audits, Technical Assistance)

Electronic Filing
Questions Regarding Electronic Filing of Annual Financial Reports ............................................... 474-4014
Questions Regarding Electronic Filing of Justice Court Reports ..................................................... 486-3166

Financial Reporting ...................................................................................................................... 474-4014

(Annual Financial Reports, Constitutional Limits,Real Property Tax Levies,
Local Government Approvals)

Information Services ..................................................................................................................... 474-6975

(Request for Publications or Government Data)

Justice Court Fund ....................................................................................................................... 473-6438

Professional Standards ............................................................................................................... 474-5404

(Auditing and Accounting)

Research 473-0617

Statewide and Regional Projects ......................................................................................... 607-721-8306

Training .......................................................................................................................................... 473-0005

(Local Official Training, Teleconferences, DVDs)

New York State Retirement System

Retirement Information Services

Inquiries on Employee Benefits and Programs ........................................................... 474-7736

Bureau of Member Services..............................................................................................474-1101

Monthly Reporting Inquiries ......................................................................................... 474-1080
Audits and Plan Changes ............................................................................................ 474-0167
All Other Employer Inquiries ........................................................................................ 474-6535

Division of Legal Services

Municipal Law Section ....................................................................................................... 474-5586

Other OSC Offices

Bureau of State Expenditures .......................................................................................... 486-3017
Bureau of State Contracts ................................................................................................ 474-4622

Internal Controls - 37
 New York State
Office of the State Comptroller
Division of
Local Government and School Accountability
110 State Street, 12th Floor • Albany, New York 12236