Fall 2016

Implementing the Five Key Internal Controls

Purpose
Internal controls are processes put into place by management to help an organization operate
efficiently and effectively to achieve its objectives. Managers often think of internal controls as
the purview and responsibility of accountants and auditors. The fact is that management at all
levels of an organization is responsible for ensuring that internal controls are set up, followed,
and reviewed regularly. The purposes of internal controls are to:

 Protect assets;
 Ensure that records are accurate;
 Promote operational efficiency;
 Achieve organizational mission and goals; and
 Ensure compliance with policies, rules, regulations, and laws.

In administering various U.S. Department of Housing and Urban Development (HUD), Office of
Community Planning and Development (CPD) programs, all grantee and subrecipient
organizations deal with risks to achieving their organizational and programmatic goals. No
rules, bad rules, or failure to follow rules disrupt the effectiveness of the internal controls and,
ultimately, mission delivery. This bulletin explains the five internal control standards and ways to
implement them effectively. It also provides case examples of deficiencies in internal controls
and how those issues could have been avoided through use of internal controls.

Background
If your grant or subgrant is subject to the uniform administrative requirements of 2 Code of
Federal Regulations (CFR) Part 200, then 2 CFR 200.303 requires that your organization follow
one of the two approved internal control frameworks. The Government Accountability Office
(GAO) Standards for Internal Control in the Federal Government (commonly called “the Green
Book”) is one of the frameworks, and the Committee of Sponsoring Organizations (COSO) has
issued the other. The former is used by the federal government, while publicly held companies
use the latter.

Both GAO and COSO provide a framework for designing, implementing, and operating an
effective internal control system. Using either will help achieve your objectives related to
operations, reporting, and compliance. The frameworks have 5 components of internal control
and 17 sub-principles.

1
 Summary of Internal Control Standards

4. Information
1. Control 2. Risk 3. Control 5. Monitoring
and
Environment Assessment Activities
Communication

Select and Use relevant, Perform ongoing

Demonstrate Specify quality
commitment to develop control and periodic
appropriate activities that information to evaluations of
integrity and objectives support the
ethical values mitigate risks internal controls
internal control including external
function audits
Ensure that board Select and
exercises Identify and develop
technology Communicate
oversight analyze risks Communicate
controls internal control
responsibility information internal control
internally deficiencies and
Establish Deploy control assure timely
structures, Evaluate fraud activities through corrective action
policies and Communicate
reporting lines, risks
procedures internal control
authorities and information
responsibilities externally
Identify and
Demonstrate analyze changes
commitment to a that could
competent significantly affect
workforce internal controls

Hold people
accountable

These standards are the foundation of good management and are described in more detail below.

Key 1. Establish a Control Environment

The control environment is the culture, values, and expectations that organizations put into place.
Ways to establish and nourish the environment are:

 Set “tone at the top” by implementing and promoting ethical standards, integrity, and
accountability policies;
 Set mission, goals and objectives (strategic planning) so the organization knows what it is to
accomplish;
 Establish structure, organizational responsibilities, and reporting chains;
 Hire competent and trustworthy staff members and provide necessary training for them;
 Provide leadership and good governance by staying on top of operations and performance,
and correcting problems when identified;
 Emphasize that compliance with laws and regulations is the expectation for the organization;
 Assure that goals and objectives are clear (especially when there are multiple grant awards)
and not in competition with each other or compliance requirements; and
 Hold people accountable for their responsibilities.

Example of weak control environment

An audit of a grantee found deficiencies in six of seven contracts reviewed.
Problems included insufficient evidence that contracts were adequately competed, missing

2
 contract forms and provisions, lack of justification supporting sole-source contracts, and board
of commissioners’ approvals signed after contract execution or missing. Further, auditors
discovered that forms were added to the contract files after the request to review them and
evidenced the use of correction fluid to conceal the date printed. The executive director
acknowledged that the former purchasing director removed files from the organization. The
executive director decided to create or reproduce the documentation before giving the files to
the auditor. The audit recommended referral of the executive director to HUD’s Departmental
Enforcement Center for appropriate action regarding the questionable ethical conduct. The
agency should have had policies concerning documentation, record archival, and removal of
official records from the office.

Key 2. Conduct Risk Assessments

In the past, risk management focused exclusively on financial dangers. Enterprise Risk
Management (ERM) looks at the entirety of an organization and everything that could affect it.
Leadership should oversee a risk management process and ways to accomplish this are:

 Have each function identify the risks to operations and performance;

 Brainstorm with staff to determine possible external risks (See the appendix at the end of the
bulletin that shows examples of types of risks);
 Learn about emerging risks through employee and customer surveys, etc.;
 Consider the potential for fraud when identifying, analyzing and responding to risks;
 Rate and rank the risks, and discuss controls or other actions needed to eliminate or reduce
the risk;
 Develop corrective actions and assign someone to be in charge of implementing each.

Key 3. Implement Control Activities

Control activities are the policies and procedures put into place to run operations, accomplish
goals, and prevent fraud. Basic internal control methods are:

 Establish responsibility;
o Assign each task to only one person.
o Establish organizational structure.
 Implement separation of duties;
o Don’t make one employee responsible for all parts of a process.
o Use compensating controls, such as additional monitoring or secondary sign-offs,
when separation is not possible.
 Restrict Access;
o Don’t provide access to systems, information, assets, etc. unless needed.
 Create policies and procedures;
o Implement written instructions with directives to follow them.
o Assure controls cover all areas of compliance.
o Assure controls cover security of assets and technology.
 Establish record keeping;
o Document all expenditures and the justifications for them.

Example of lack of control activities

A grantee city spent $284,649 in program funds on projects that did not have required
executed written agreements with its internal departments and subrecipients. Agreements
or memorandums of understanding for these projects should have included the purpose
statements and the national objectives they would meet. This condition occurred because

3
 the city did not have internal controls to ensure that internal departments and
subrecipients signed agreements before spending program funds. The lack of
agreements kept the city from having the authority to monitor the work. The city should
have had written policies and checklists to ensure that it had agreements or
memorandums of understanding for these projects in place, and should have included the
purpose statements and the national objectives the projects would meet. It also
should have had controls over spending to ensure that program staff could not spend
funds before signed agreements were properly in place.

Key 4. Implement Information and Communication Systems

Communications are essential for every organization. They rely on quality of information and
effectiveness of dissemination. Use the following suggestions to guide your information and
communication protocols:

 Establish relevant and reliable information systems to track operations, goal progress,
and compliance;
 Broadly distribute information throughout the organization to ensure that critical
information is delivered to the right staff in a timely way. Ask staff members what
information they need but are not getting;
 Establish separate lines of communication, such as fraud and ethics hotlines, for
confidential information. Inform employees of these separate reporting lines, how they
operate, and how reports are handled;
 Establish both outgoing and incoming lines of communication with external entities.
Stay aware of external events that could pose a risk.

Example of problematic information and communications

Seven years after a local government grantee got $10 million in Federal money to build a
cemetery and bus station, neither had been completed. Local authorities claimed they
had no documentation about the projects, such as approved work drawings and as-built
plans. The local government said it had no information about its own decisions because
contractors had the only copies of the paperwork and were holding them for “ransom.”
The contractors said they did not cooperate because the local government had not paid
them for completed work. The local government should have had a system for capturing
information regarding the status of projects, maintained reports available, and provided
them to decision-makers, as needed. The local government grantee should have
maintained all original records.

Key 5. Monitor Internal Controls

Establishing controls is not enough. Once they are in place, managers need to verify the
effectiveness of the controls. Ways to accomplish this include:

 Establish a system of quality control over all processes such as supervisory reviews,
approvals, and automated exception checks;
 Conduct routine reviews of actual performance compared to goals and budgets;
 Conduct separate management reviews of a function to determine whether it is
working as intended, or controls need to be redesigned. Use the GAO Internal
Control Management and Evaluation Tool to evaluate your internal controls;
 Arrange for external audits and be responsive to findings;
 Track all corrective actions, and ensure that they are implemented and
working as intended;
 Use monitoring to tie corrective actions back to improvements in Control
4
 Environment and Control Activity standards;
 Watch for signs of control problems.

Even strong controls do not always work. As you implement controls be mindful that all of the
controls systems are dependent upon people. The effectiveness of internal controls is directly
proportional to staffs’ willingness to adhere to them.

Example of inadequate monitoring of internal controls

An audit noted that a grantee had inadequate management oversight of its property and
financial records. In addition, the grantee lacked adequate policies, procedures, and
internal controls governing the use of vehicles, cellular phones, and credit cards. Staff
regularly used these assets for personal activities. Paperwork was incomplete and
supervisory review was nonexistent. Factors contributing to this noncompliance were the
board of commissioners' failure to exercise its leadership and monitoring function. The
board or other leadership should have had policies and procedures for the review and
approval of expenses and use of assets. They should also have had a means to check
that these controls were working through spot checks or other independent means such
as audits. If management had monitored expenditure reports, it would have been alerted
to the unauthorized spending.

Getting Help
Senior managers are responsible for internal controls, which are key to an organization’s ability
to achieve its goals. There are five basic standards that managers of CPD grantee organizations
should use to ensure effective and efficient operations. Management’s use and enforcement of
the above methods is a major indicator of an organization’s commitment to successful
governance.

There are many internal control training and ERM programs available on-line. Many States also
offer training or certification programs, as do many associations, including the Institute of Internal
Auditors, the American Institute of Certified Public Accountants, the Association of Government
Accountants, and the Committee of Sponsoring Organizations. There are also many private
training companies that offer generic management and internal control training. You can also
consult your local HUD office or independent auditor for ways to improve specific issues you may
have with internal control issues.

If you have knowledge of possible fraud, you must promptly report it to your local HUD Office of
Inspector General or online at HUD's hotline: https://www.hudoig.gov/report-fraud%20.

5
 Appendix

Examples of Risk Types and Risks

Governance Financial Business Compliance Stakeholders Physical

operations and legal environment
Weak leadership Poor budget Human capital Ignoring audit Congress Poor safeguarding
(ignoring controls or problems (hiring, or monitoring funding and of physical assets
management poor performance, findings passing new (buildings,
problems) accounting training, diversity laws equipment, etc.)
Lack of risk systems issues etc.) Not knowing New State from loss, damage,
Identification rules and local and theft
laws
Missed or unclear Unsupported Information Lawsuits, New Federal
project goals payments technology issues health and regulations Physical location
(Equipment, Safety issues risks:
systems, Natural
Pressure on staff Access to cash Allowing
that undercuts and accounting programs, etc.) discriminatory Disasters,
integrity records practices Super fund site,
Flood prone site,
Ineligible project Purchase or Poor Faulty Political etc.
activities travel card recordkeeping procurement pressures Economically
abuse processes depressed site
Hiring for Contractor Untimely or Federal law Citizen Distances to Sites
positions of trust billing Issues Inaccurate violations complaints
without proper reports and
vetting. communications
No quality control Conflicts of Difficulties Getting
processes interest to sites
Weak Allowing Contractor Data security Bad publicity Deteriorating or
organizational conditions for performance and privacy posing aging assets
structure embezzlement issues issues reputational (buildings ,
Failure to and other Lack of or Inadequate risks equipment, and
monitor goals financial fraud outdated policies monitoring of infrastructure)
and finances and procedures sub-awardees

While these categories and examples are not all inclusive, they show the breadth of areas
senior leadership must consider and manage, to the extent possible.