On August 14, 1987, Governor Mario M. Cuomo signed the New York State Accountability, Audit and Internal Control Act. This legislation was one of two bills enacted to achieve the Governor's objective of increasing the accountability and effectiveness of State government. The new law required the heads of all State agencies and authorities - some 115 in all - to establish effective internal control systems and, as a check, to establish programs of internal control review to correct any control weaknesses.

The legislation was timely in light of the difficult financial climate confronting the State. Improved internal controls would assure funds were spent properly and agencies functioned effectively to achieve their intended purposes.

Because the new law placed responsibility for effective internal controls squarely with the agency and authority heads, the Governor did not prescribe a standard format for reviewing internal controls, identifying weaknesses, designing steps to strengthen them, and monitoring installation of corrective measures. Each agency was called upon to design its own internal control review process, although statewide memoranda emphasized that each system should meet recognized standards. It was believed that, considering the wide variety of missions and cultures among the State's organizations, compliance would be greater if the agencies and authorities had freedom in designing their own internal control programs.

The Governor assigned responsibility for implementing the Act to his central fiscal office, which adopted a three-pronged approach: Engaging a major accounting firm to provide detailed training to agency managers on internal control techniques; assembling and distributing to State agencies and authorities comprehensive internal control manuals, including internal control material from the General Accounting Office and the State Comptroller; and mounting a widespread program of technical assistance to State agencies and authorities to accelerate installation of vigorous internal control programs.

However, early on the central budget staff discovered many of New York's smaller agencies - in fact, the majority of all State organizations - had neither the staff resources nor the time to research design alternatives and develop effective internal control review systems. Accordingly, the budget office designed an integrated internal control review process. The system was constructed so that an organization could proceed step-by-step through a series of questions and tables which, once completed, would constitute a complete review cycle. To accent the action focus of the system, it was dubbed "The Four Step Process for Internal Control." Original development of the process was carried out by Frank Walter. Tom Lukacs contributed substantial refinments to the system.

Because the system emphasized simplicity of completion, it was not modeled after any of the common internal control review procedures that have been published. For example, the widely used guidelines of the Office of Management and Budget (OMB), which were first issued in December 1982, used seven steps to conduct the internal control program. Even though the OMB manual was straight-forward, an even more streamlined approach was needed to match the needs of many New York agencies.

As finally designed, the four-step process relieves the operating agencies of any design responsibility. They can immerse themselves in the procedure at the outset and proceed methodically to its conclusion through four discrete segments:

* Identify the functions performed in support of the agency's stated mission and program objectives;

* Assess the vulnerability of the function to errors, irregularities, or unintended program results and the consequences which are likely to occur if those functions are not properly performed;

* Review internal controls, scheduling such reviews according to relative levels of vulnerability; and

* Take appropriate steps to correct internal control weaknesses.

Each of these steps is described in detail. Included as exhibits are the forms used to carry out each phase of the process.

Step One: Identify Functions

The most effective way to begin an evaluation of internal control systems is to segment an agency into organizational units and develop an inventory of the functions and responsibilities of those units. This inventory should cover all program and administrative functions necessary for the agency to carry out its mission. These functions should be defined clearly enough to facilitate a meaningful vulnerability assessment of each area.

Functions can be most easily identified through organizational charts, departmental budgets, policy and procedure manuals, job descriptions, and program and financial management information systems. A sample function identification form used to guide agencies in completing this inventory is shown in Exhibit 1.

Step Two: Assess Vulnerabilities

A vulnerability assessment is a general review of the susceptibility of a function to errors, irregularities, unauthorized use, or inappropriate program results. It is used to determine the likelihood that something could go wrong and to evaluate the seriousness of those consequences.

The vulnerability assessment is intended to provide an agency with the following:

1. An indication of what functional areas should get priority attention from management because of the nature, sensitivity, and importance of the function's operations;

2. A preliminary judgment from managers about the adequacy of existing internal control techniques to minimize or detect problems; and

3. An early indication of potential internal control weaknesses which should be corrected.

As a general rule, to properly assess the current level of risk associated with a function, the vulnerability assessment should address such factors as -

* The attitude of management toward maintaining effective internal control systems;

* The technical or administrative complexity of the operation;

* The existence of adequate organizational charts, lines of communication, and clear designation of work assignments;

* Demonstrated adherence to prescribed policies and procedures;

* The fiscal implications of the program, including the size of the budget and the extent to which the function involves the handling of cash receipts and disbursements or the approval of contract or grant funds;,

* The sensitive nature of the program and the extent to which program decisions can be influenced by external sources, time constraints, or conflicts of interest on the part of agency officials;

* The professional training and technical proficiency of staff needed to properly perform the function;

* The stability of the operations in terms of the rate of change in functional responsibilities, staff turnover, permanence of the functional unit, and reconfigurations of the organizational structure;

* The frequency of internal or external audits of the function and the significance of audit findings; and

* The inherent risk associated with the function regardless of the existence of adequate internal controls.

The results of the vulnerability assessment allow agencies to classify functions as high, moderate, or low risk. The results may also highlight specific weaknesses where immediate remedial steps can be taken by management. More importantly, the vulnerability assessment process offers an agency the opportunity to rank functions in priority order - most important to least, most vulnerable to least - to schedule, on a systematic basis, reviews to determine how well internal controls are working.

After the initial vulnerability assessment is completed, it should be updated periodically at the discretion of management. Revisions should be made if the agency undergoes organizational, staffing, or program changes or if an internal control review, audit, or other management analysis uncovers unexpected weaknesses. A sample vulnerability assessment form is shown in Exhibit 2.

Stop Three: Review Internal

Controls

The need for an internal control review of a function relates to the level of risk assigned by the vulnerability assessment. Functions identified as more vulnerable could be candidates for internal control reviews regardless of whether the vulnerability assessment identified any internal control weaknesses. Depending on the cause and level of the vulnerability, management priorities, and resource availability, an internal control review could be conducted annually, every two to three years, or less frequently. An internal control review can take a variety of forms:

* Observing whether staff perform the function properly;

* Discussing with staff how the function is performed and whether those steps are reasonable;

* Establishing what key control objectives have to be achieved;

* Examining documents and procedures followed by staff to determine whether they are adequate and complete; and

* Evaluating and testing actual work products to confirm procedures are being followed and the results are consistent with planned program outcomes.

The nature of the internal control review will vary depending on the significance and complexity of the function being reviewed, the level of identified risk, and the controls in place. The greater the potential vulnerability, the greater the need for probing internal controls and the greater the need for regular and more formal evaluation.

The results of the ICR should be documented and should answer the following questions:

* What are the objectives of the function? What is it trying to achieve? What problem is it trying to avoid?

* What steps are followed to achieve those objectives?

* What internal control weaknesses exist - including excessive controls - which inhibit achieving the control objectives?

* What cost-effective corrective actions can be taken to eliminate or reduce these weaknesses?

Agencies use the sample internal control review form shown in Exhibit 3 to document the results of their reviews.

Step Four: Design Corrective

Actions

The fourth step in the process is to correct internal control weaknesses identified through the vulnerability assessment or internal control review process. A plan of corrective action should assign responsibility, establish time frames for implementing improvements, and report on progress toward these improvements. Executive management should approve the plan to assure that recommended actions are cost effective. Internal auditors or independent auditors may be used to monitor adherence to the plan and to offer recommendations on appropriate corrective actions.

Some corrective actions may be implemented immediately (i.e., refine procedures, document procedures, and conduct training). More time may be needed for those actions which require organizational changes, redeployment of resources, or a fundamental rethinking of the function's objectives.

A sample corrective action form is included in Exhibit 4. It can be used to monitor progress towards correcting weaknesses.

Four Steps to A Successful

Program

Nearly half of New York State's agencies and authorities have chosen to use the four-step process as their own internal control review system. The four-step process has proven itself: All the organizations that have adopted the process have completed it successfully in a minimal time. The result has been a remarkable acceleration of the pace by which New York State Agencies have assessed their systems of internal control.

Stephen M. Fletcher is Deputy Chief Budget Examiner in the Division of the Budget of the State of New York. Mr. Fletcher has worked in the Division of the Budget for 23 years and holds a master's degree in public administration.