N.C. Local Government Finance Policy Manual

9.0 Introduction

Local governments have a duty to safeguard moneys and assets and, ensure they are used for authorized and lawful purposes. Chapter 159 of the North Carolina General Statutes (henceforth G.S.), the Local Government Budget and Fiscal Control Act (LGBFCA), sets forth the statutory requirements for expending and accounting for public moneys. Many of the statutes contain built-in safeguards to ensure public money is adequately protected from threats of fraud, waste, misuse, or loss. For example, G.S. 159-28(a1) mandates that the finance officer or duly appointed deputy finance officer perform a preaudit process before obligating public moneys. The objective of the preaudit process is to ensure budgetary compliance—there must be an appropriation for every expenditure and sufficient funds remaining to cover the cost.

It is not enough, however, to comply with the requirements of the LGBFCA. Local governments should adopt a strong internal control system for all major financial functions and processes. The controls will help ensure that the statutory requirements of the LGBFCA are met. Each local government’s internal control system should be uniquely tailored to meet the specific needs and capabilities of that unit. The internal control processes for small units with limited finance staff will look much different than the internal control processes adopted by mid-size or large units of government.

This chapter explains the framework of internal control in a way that is meaningful to every local government. Therefore, regardless of a unit’s size or the complexities of its programs or activities, if a local government adopts the approach to internal control explained herein, it will have a functional internal control system.  

9.1 Establishing a Framework of Internal Control

In designing a system of internal control, local governments should rely on one of two widely accepted internal control frameworks. The first is the Internal Control–Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO is a voluntary organization dedicated to improving the quality of financial reporting and strengthening internal control in private-sector organizations. The second is the Government Accountability Office’s (GAO) Standards for Internal Control in the Federal Government, known as the “Green Book.” The Green Book is the legally required internal control framework for federal entities, but it may be adopted by other public-sector organizations, including state and local governments, quasi-governmental agencies, and not-for-profit organizations.

The COSO Framework and the Green Book take a similar approach to internal control, and, therefore, either framework may form the basis of a local government’s internal control system. This chapter focuses on the Green Book framework because the Green Book is focused on internal control processes for the public sector, including the federal, state, and local governments.

9.2 What Are Internal Controls

Internal controls are the processes, procedures, and techniques that, when effectively implemented, provide reasonable assurance that the objectives of an organization will be met. According to the Green Book, an entity’s objectives generally fall within one of the following categories:

• Operations—controls should foster effective and efficient business operations.
• Financial reporting—controls should promote reliable financial reporting for internal and external use.
• Compliance—controls should help assure compliance with applicable laws and regulations.
• Fraud—controls should be tailored to reduce fraud risks.

It is important to recognize that internal controls are processes; they are not single events but are, rather, a series of actions that will be most effective when operationalized into daily business operations. In addition, even the strongest internal control system can provide only reasonable assurance that a unit’s objectives will be met. Absolute assurance is not possible due to the inherent limitations of internal control, such as unintentional mistakes and errors, management override of established controls, and external factors like natural disasters or cybersecurity breaches.

9.3 Responsibility for Internal Controls

The Green Book places the responsibility for internal controls on “management” and the “oversight body.” (GAO, Standards for Internal Control in the Federal Government, at 6-7 [hereinafter, Green Book]). For local governments, “management” will include the manager, finance officer, department heads, and others with managerial duties. The “oversight body” is the body of elected officials—the board of county commissioners or city/town council.

Those in management are responsible for implementing and monitoring the effectiveness of internal control. The finance officer is primarily responsible for adopting controls over financial processes and functions. The governing board has oversight responsibility, meaning the board must ensure that management has adopted a functional internal system.

In small units, the governing board may be more involved in the internal control process—by helping management design internal controls and/or by compelling compliance by instituting and enforcing meaningful consequences for noncompliance. It is a common misconception that the external auditor is responsible for establishing or monitoring the effectiveness of internal controls. While auditors can help identify control weaknesses, the responsibility for internal controls ultimately rests with management and the governing board. The responsibilities of the governing board and management are explained in greater detail in section 9.4.1.

9.4 Components of Internal Control

The Green Book establishes five key components of internal control. The five components are supported by underlying principles that explain how to fully operationalize the component. If any components are ignored or not fully implemented, the internal control system will be less effective at helping a unit meet its objectives. Accordingly, it is necessary to gain a clear understanding of each of the five components of internal control.

The five key components of internal control include:

1. control environment,
2. risk assessment,
3. control activities,
4. information and communication, and
5. monitoring.

(Green Book, at 7-8).

9.4.1 Control Environment

The first component of the Green Book’s internal control framework is the control environment. This component serves as the foundation of an internal control system. The control environment, otherwise described as “tone at the top,” is established through management and the oversight body’s directives, attitudes, and communication regarding the importance of internal control, competence, and ethical behavior in the workplace. (Green Book, at 22).  

There are five principles underlying the control environment that, when implemented, create a strong control environment. The principles include:

1. The Oversight Body (i.e., the governing board) and Management Should Demonstrate a Commitment to Integrity and Ethical Values. To satisfy this principle, the local unit’s oversight body and management should adopt a code of conduct to communicate expectations concerning integrity and ethical values. Management may use the standards of conduct to evaluate the attitudes and behaviors of employees and departments and to determine the tolerance level for deviations.
2. The Oversight Body Exercises Oversight Responsibility of the Unit’s Internal Control System. To satisfy this principle, the oversight body must oversee management’s design, implementation, and operation of the internal control system. The oversight body should test controls and consider whether the current internal control system is adequate to mitigate risks and guard against potential acts of fraud. The oversight body should provide guidance and constructive criticism and suggest how to remediate any deficiencies identified in the internal control system.
3. Management Should Establish an Organizational Structure, Assign Responsibility, and Delegate Authority to Achieve the Unit’s Objectives. To satisfy this principle, management should (a) consider how the departments within the unit interact to fulfill the unit’s overall responsibility and (b) establish clear reporting lines with the organizational structure. Organizational charts should be used to establish reporting lines. For example, an organizational chart for a unit’s finance department may show the relationship and establish the level of authority between the various finance-related positions, such as the finance officer, deputy finance officer, accountant, payroll specialist, treasurer, and other positions. When advertising a new finance position, the position description should match the level of authority designated in the organizational chart. Management can use the organizational chart to delegate internal control responsibilities and other functions to personnel down the reporting chain.
4. Management Should Demonstrate a Commitment to Recruit, Develop, and Retain Competent Employees. It is essential for management in a local unit to recruit qualified personnel to perform the essential job duties required. To this end, management must understand the specific skills and competencies needed to perform the duties associated with each finance-related role within the unit. Current employees should be encouraged, and sometimes required, to seek out training opportunities to help ensure that they maintain the level of competence necessary to accomplish assigned responsibilities. For example, if the unit receives a federal grant award, the person administering the award may require additional training on the reporting and compliance requirements tied to the use of those funds. Management must also make succession and contingency plans that consider issues such as whether to replace a specific position if the person in that role retires and how to respond if an employee unexpectedly cannot return to work.
5. Management Should Evaluate Performance and Hold Individuals Accountable for Their Internal Control Responsibilities. To accomplish this principle, a local unit’s management should periodically conduct performance reviews of all employees. These reviews may address each employee’s level of competence in performing assigned duties and evaluate whether all employees are adequately performing assigned internal control responsibilities. For example, if the unit has a policy that requires the deputy finance officer to attach evidence of the preaudit to each executed contract, management should evaluate whether the deputy satisfies this internal control responsibility. If an employee is not meeting expectations, management may consider taking disciplinary action, provided such action is consistently applied to any employee who commits a similar policy violation.  

(See Green Book, at 21-33).

9.4.2 Risk Assessment

The second component of the internal control framework is risk assessment. Risk assessment is a process undertaken by management in a local unit to identify risks facing the unit as it seeks to achieve its objectives. (Green Book, at 34). Carrying out a risk assessment will allow management to identify areas needing additional control activities. The goal of the risk assessment is not to eliminate all risks; it is to determine acceptable levels of risk and make efforts to keep risk factors within agreed-upon boundaries. Management will want to identify unit-wide, departmental, and process or activity risks. Therefore, a risk assessment should be performed for all major financial functions and processes, including the cash management process, preaudit process, disbursements, accounts payable, accounts receivable, financial reporting, procurement, and any other key financial process.

It can be effective to approach risk assessment as a three-step process:

Step 1: Management defines the unit’s operational, financial reporting, and compliance objectives.

Step 2: Management identifies risks related to achieving the identified objectives.

Step 3: Management assesses the likelihood and impact of identified risks to determine a response.

Step 1: Identify Objectives (Green Book Principle 6). Before a unit can effectively identify risk areas, its objectives and goals must be established. As such, objective setting is a required first step in the risk assessment process. There are three categories of objectives: operational objectives (what must happen to ensure that business operations are running efficiently?); reporting objectives (what must happen, e.g., to ensure that financial statements, budgets, and other financial records are accurate and timely?); and compliance objectives (what must happen to ensure compliance with the LGBFCA and other governing federal or state law or local policy?). The more specific the objectives, the easier it will be for management to identify risks to achieving those objectives in the next step.

Step 2: Identify Risks (Green Book Principles 7 and 8). During this step of the risk assessment, management in a local unit should identify risks that may impact its finance department’s operations and that department’s ability to achieve identified financial reporting and compliance objectives. There are three categories of risk that should be identified. Each is discussed immediately below. There are also internal and external factors that may increase risk.

Inherent risk. Some transactions or operations are by their nature inherently risky. Cash transactions, for example, present an inherent risk. When moneys change hands, there is always a risk of loss, whether intentional or not. The same holds true for transactions or operations involving items of personal property such as laptop computers and other electronic equipment. There is an inherent risk that these valuable tangible items will be lost, stolen, or otherwise misused or misappropriated.

Change risk. Change is inevitable for every unit of government, and any change may elevate the level of risk in a unit’s daily operations. Changes that can increase risk may include changes in personnel or a change in the operating environment. For example, hiring new personnel increases risk because of the learning curve associated with any new hire. Risk also increases when a valuable employee leaves or retires, because certain institutional knowledge will no longer be available. Operational changes that increase risk include the use of new software, changes in information systems, or the undertaking of a new or complex program or activity. For example, under the American Rescue Plan Act of 2021, every municipality and county in North Carolina was eligible to receive distributions of federal financial assistance (i.e., a federal award) from the Coronavirus State and Local Fiscal Recovery Fund (CSLFRF). [See American Rescue Plan Act of 2021, Pub. L. No. 117-2, § 603, 135 Stat. 4, 228 (2021)]. The acceptance of CSLFRF funds obligated recipients and subrecipients to comply with the U.S. Department of Treasury’s compliance and reporting requirements, which are extensive and complex. In instances like this, when a local unit undertakes a new and complex activity, management must diligently identify the associated risks of carrying out the new program. 

Fraud risk. Management in local units should also consider the potential for fraud when identifying risks. “Fraud involves obtaining something of value through willful misrepresentation” for financial or personal gain. (Green Book, at 40). In general, there are three types of fraud. The first is corruption, which involves bribery, bid rigging, collusion, and other illegal acts between two or more parties. The second is the misappropriation of assets, which includes any theft of property, embezzlement, and fraudulent payments. The third is fraudulent financial reporting, which involves the intentional misstatement or the omission of amounts in financial statements or accounting records with the intent to deceive the financial statement user. (Green Book, at 40).

Step 3: Assess Risk and Determine a Response (Green Book Principles 7, 8, and 9). Once management has identified risks, it must decide how to respond. Not all risks are created equal. Some risks may be so remote, or the effects of such risks so inconsequential, that the unit may decide simply to accept those risks without developing controls to address them. Some risks, like natural disasters, may have such significant negative impacts that, even if unlikely, the unit must limit the risk, which is sometimes done through the purchase of insurance. For all other risks, management can implement control activities to help reduce the likelihood of such risks occurring or reduce the impact if they do.

To help determine which risks should be mitigated using control activities, management should first evaluate each risk using a likelihood/impact scale to determine priority. Those risks that rank “very high” or “high” on the risk-priority scale should be reduced through the implementation of a control. Unit management must weigh the cost (time, money, effort) of implementing a control with the resulting benefit, keeping in mind that the cost of the control activity should not exceed the cost that would be incurred if the risk occurred.

(See Green Book, at 34-43).

9.4.3 Control Activities

The third component of the Green Book’s internal control framework is control activities. Control activities form the backbone of the internal control system—these are the policies, processes, and techniques utilized to foster workplace efficiency, reliable financial reporting, and compliance with governing laws. There are two categories of control activities—preventive controls and detective controls. Preventive controls are implemented to deter the occurrence of an undesirable event, while detective controls help identify or detect the occurrence of an undesirable event. [Green Book, at 44-57 (providing broad discussion of control activities)].

Although there are many types of control activities, there are certain controls that are essential to incorporate into any internal control system.

• Written policies and procedures. Policies and procedures are closely related but serve distinct purposes. A policy is a high-level statement that outlines the “what” and “why” related to a law or other organizational standard. Procedures explain how to implement a policy in operational terms. Procedures, therefore, address the “who” and “how” and establish workflow processes. Because policies and procedures set expectations and document implementation requirements, these documents can be used to train new employees and even to onboard newly elected officials. For example, newly elected officials will want to review the unit’s conflict of interest policy to understand how to avoid a conflict of interest.  

Ideally, a unit should adopt written policies and procedures to address many of the legal compliance requirements outlined in general statutes, including those outlined in the LGBFCA and for major financial transaction cycles that are performed each day. For example, units should adopt policies and procedures to address the following: cash management, fund balance, procurement, preaudit, disbursements, accounts payable, accounts receivable, investments, accounting and financial reporting, and more.

• Segregation of incompatible duties. Segregation of incompatible duties is often described as implementing a system of checks and balances. The premise of segregation of duties is that no single employee should have too much control—the same person should not be in a position to commit an irregularity and then conceal it. There are four functions that should be segregated: authorization, custody, record keeping, and reconciliation. Therefore, no one employee should be able to (1) authorize a transaction, (2) take custody of the asset resulting from that transaction, (3) record the transaction in the accounting records, and (4) reconcile records that reflect the transaction.

Complete segregation of duties can be a challenge for small units due to limited staff. At a minimum, one employee should not control more than two functions, and the recording function (entering financial information into the accounting system) and the reconciliation function must always be performed by different employees. It is difficult to catch mistakes, and far too easy for fraud to be committed, if the same person records transactions as part of the accounts receivable or payable functions and reconciles those accounts.

Small municipalities may need to adopt compensating controls to compensate for the absence of a primary control. For example, in a one- or two-person finance office, complete segregation of duties among finance staff is not possible. As such, a governing board member could be asked to perform the bank reconciliation or at least spot-check the bank reconciliation. The board member, who would not usually be required to perform bank reconciliation, would be doing so to compensate for the fact that the primary control, complete segregation of incompatible duties, is not possible. Small local governments can hire outside bookkeepers or swap reconciliation duties with nearby jurisdictions to have additional oversight for financial transactions. One person should never have the sole authority to perform all financial functions.

• Authorizations and approvals. The establishment of clear authorization and approval authority helps to facilitate smooth workflow processes. Authorization involves the right to perform a specific task or responsibility. Approval authority grants oversight responsibility—the approver will verify the occurrence of a process or transaction.

• Documentation. To ensure the accuracy, integrity, and accessibility of financial information, it is critical that management establish clear documentation and record retention guidelines. Written policies and procedures can be used to establish types of records that must be retained and to establish responsibility for maintaining records. For example, a procurement policy would specify the types of procurement documents (bids, contracts, quotes) that procurement officers are expected to retain.

Each local government unit must retain records in accordance with the State Archives of North Carolina’s Record Retention and Disposition Schedule for Local Government Agencies, available at: https://archives.ncdcr.gov/government/local.

• Account Reconciliation. Account reconciliation is designed to corroborate the accuracy of financial records and help verify that a unit is maintaining a balanced budget. At a minimum, each month the finance officer should reconcile the general ledger balance with the bank statement balance. Subsidiary ledgers should also be reconciled regularly. A local unit should not wait until the end of a fiscal year to reconcile its accounting records or rely on the auditor to perform reconciliations.

• Physical controls. Physical controls include the steps taken to protect real and personal property, including IT equipment, cash, checks, supplies, materials, and any other type of tangible asset from the risk of loss, misappropriation, or misuse. Physical controls include physical barriers, such as storing cash and valuables in locked cash boxes or safes, storing electronic equipment in locked storage rooms, or restricting access to public buildings and facilities to authorized employees with keycards. Local governments must take steps to implement physical controls to protect valuable assets from loss.

• Cybersecurity controls. Information-system controls facilitate the proper operation of information systems and help ensure the validity, completeness, accuracy, and confidentiality of transactions. This is a complex control area, and management should ensure that it has adequately addressed threats of cyber-attacks and other issues that may result from insufficient cybersecurity controls.(See Green Book, at 51-55).

• Education and training. Management has a duty to hire and retain competent personnel who have the proper education and training to perform job duties effectively. To ensure that employees have the necessary skills and training, employees should be allowed, or in some cases required, to attend supplemental training, conferences, or other educational events to advance skillsets and learn new competencies. Employees should also be trained in how to perform their internal control responsibilities. Performance appraisals can be used to assess whether employees are meeting expectations.

9.4.4 Information and Communication

The fourth component of internal control is information and communication. For an internal control system to work, the organization needs to communicate relevant information across all levels. This includes communication from top management to employees, and vice versa. Clear and timely communication of policies, procedures, workplace expectations, and internal control responsibilities is vital to help employees understand the organizational goals and objectives. (See Green Book, at 58-63). For example, if a finance officer overhauls the accounts payable process, the finance officer must communicate the changes to those employees who will be impacted. The impacted employees should be trained as necessary to perform the new process. In addition, management should encourage staff to communicate any glitches or concerns regarding the new process so that adjustments may be incorporated accordingly. Management will want to periodically verify that communication channels are effective and that employees are receiving and sharing information as intended. Without strong communication channels, it is more likely that employees will not understand their role in the internal control process. (See Green Book, at 58-63).

9.4.5 Monitoring

The final component of internal control is monitoring. Monitoring requires management to periodically assess the effectiveness of the internal controls system. When monitoring techniques are built into the unit’s business operations, control deficiencies may be more readily identified and corrected. Management is not required to review every transaction or financial report of the unit to determine whether controls are properly functioning. Instead, management can spot-check transactions, financial reports, and account reconciliations for timely completion and accuracy. (See Green Book, at 64-69). For example, management can spot-check paid invoices to determine if the goods or services covered by the invoices were certified as having been received prior to authorizing payment. Management should also monitor whether incompatible duties are segregated. If a breakdown in the system is identified, management may change the design of the controls to improve the operating effectiveness of the system. (See Green Book, at 64-69).

9.5 Pulling it Together- Applying the Five Components of Internal Control to the Daily Deposit Requirement

Up to this point, this chapter has explained each of the five components of internal control outlined in the Green Book. Now, we will apply those components to a specific financial function—the cash management and daily deposit requirement.  

G.S. 159-32 requires that all moneys collected or received by an officer or employee of a local government be deposited daily with a licensed cash collection service or deposited in an official depository. With governing board approval, deposits or submissions to a properly licensed and recognized cash collection service shall be required only when the moneys on hand amounts to five hundred dollars ($500.00) or greater. To assure compliance with this statutory requirement, a local government must implement internal controls related to the collection and deposit of public moneys, and the five components of internal control should serve as the framework in designing the controls, as follows.

Control Environment: A key principle of the control environment is that management is tasked with implementing internal controls. Therefore, it is up to management, particularly the finance officer, to establish controls around the cash collection and deposit process. The controls must provide reasonable assurance that all moneys collected or received are properly accounted for, safeguarded, and timely deposited in compliance with G.S. 159-32.

Risk Assessment: Management must conduct a risk assessment of the cash receipts and deposit process to identify areas of risk. Conduct a risk assessment involves taking several steps

Step 1: Identify Objectives

The first step in the risk assessment process is to identify the unit’s objectives for the specific process. The objectives can relate to the operational goals (e.g., what must happen for the cash receipts process to run smoothly); they can relate to financial reporting (e.g., what information must be recorded to have an accurate accounting of moneys collected or received); or they can relate to legal compliance objectives (e.g., what law(s) do must we follow). A few examples of objectives for the cash receipts and daily deposit process are listed below.

• A deposit is made each business day as required per G.S. 159-32. (compliance objective)
• Cashiers accurately and timely record payments in the Daily Collection Report. (financial reporting objective)
• Cashiers issue prenumbered receipts to the payor and retain a copy for the unit. (operational and financial reporting objective)
• Cash-on-hand that remains on the premise overnight is secured in a safe. (operational objective)
• The bank verifies a second deposit slip that is returned to the local government after a deposit is made. (operational and financial reporting objective)
• The general ledger daily is updated to reflect the amount of the daily deposit on the same day a deposit is made. (financial reporting objective)
• The bank account statement and general ledger are reconciled monthly. (financial reporting objective)

Step 2: Identify Risks

Next, the unit will want to identify the risks that may make it more difficult to achieve the objectives. To do this, the existing cash receipts and deposit processes must be evaluated—consider how the process works and where weaknesses may lie. It is imperative that cash handlers are properly trained on general procedures for cash drawers and cash transactions, that there is adequate segregation of duties, and that moneys are safeguarded from threats of loss or misappropriation. It can be helpful to ask who, what, when, where, why, and how questions to help explain the existing processes and identify areas of concern. For example, if you ask who oversees performing specific functions in the daily deposit process and realize that the same person performs multiple functions, you can conclude that a risk area is a lack of segregation of duties.

A few questions to consider include:

• Has the unit adopted written cash handling procedures?
• Are employees who are involved in the cash handling process adequately trained?
• Do cashiers prepare receipts for each payment and where/how does the unit store records of payments made?
• Who maintains a Daily Collection Report?
• Is there more than one person who records payments in the Daily Collection Report and prepares the deposit slip?
• How are deposits made?
• Who updates the general ledger with the deposit amounts and how frequently is this task performed?
• Is a deposit slip prepared in duplicate and verified by the bank?
• How is cash stored and does the storage method adequately safeguard the moneys to prevent loss or theft?
• Who performs the bank reconciliation—and is a reconciliation performed monthly (at a minimum)?
• Who supervises the cash handling process?
• Is there an adequate segregation of duties?  

Step 3: Analyze and Prioritize Risks

After risks are identified, the unit must assess the likelihood of the risk occurring and the potential impact if the risk did occur.  Not all risks are created equal. Risks that will result in financial loss and/or damage to the local government’s reputation will be considered a high priority for risk mitigation. Risk mitigation strategies, also known as control activities, are discussed below.

Control Activities: After identifying areas of risk, the finance officer will want to implement control activities to help mitigate the identified risks. This can be done by taking the most common control activities (explained in section 9.4.3 above) and applying them to the cash receipts and deposit process. A model cash handling policy, as well as a list of suggested control activities for the cash receipts process, is included in the supplemental materials for this chapter. Local governments should adopt cash-handling policies that include specific procedures and assign responsibilities for performing the outlined functions in the policy. Below are a few examples of possible risk areas and how to implement control activities to mitigate the risks. For many risks, more than one control activity can be implemented to help minimize the risk.

The below chart provides a few examples of possible risks in the cash receipts process and identifies specific control activities that could help mitigate the risks.

Information and Communication: The fourth component of internal control—information and communication—simply requires that management communicate to staff any new or updated processes or procedures that they may be required to follow in performing their duties. For example, if management decides to restructure the cash receipts and deposit process, it is the responsibility of management to communicate the new processes and to train staff accordingly. Employees should always receive copies of written policies and procedures, as these documents play a key role in staff training. In addition, management should be open to feedback from employees implementing new processes. In many cases, the employees performing a specific function can identify glitches in new processes and make suggestions for improvement.

Monitoring: The final component of internal control is monitoring. Per our example, the finance officer and others directly involved in the cash receipt and deposit process will want to monitor the effectiveness of the internal controls. For example, the finance officer may want to spot-check transactions to see if they are regularly recorded to the general ledger or periodically ask for copies of receipts to determine if cashiers are meeting the documentation requirements as established in the policy and procedures. It is particularly important to monitor and reevaluate processes and procedures when there is staff turnover or another impactful change, such as adopting new accounting software. Changes such as these will generally require a modification in the internal control process to account for the new circumstances.

9.6 Internal Control over Federal Awards

The Uniform Guidance (2 C.F.R. Part 200), officially titled the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, is a comprehensive set of rules issued by the Office of Management and Budget (OMB) that sets forth the uniform standards for managing federal financial assistance, including federal grants.

2 C.F.R. § 200.303(a) requires recipients and subrecipients of federal awards to establish, maintain, and document effective internal controls over federal awards. The controls must provide reasonable assurance that the recipient or subrecipient is managing the award in compliance with the federal statutes, regulations, and the terms and conditions of the federal award. Units are also required to take cybersecurity and other measures to safeguard information including protected personally identifiable information (PII) and other types of information. [2 C.F.R. § 200.303(e)].

The Uniform Guidance suggests that the grant internal controls should be modeled after the “Standards for Internal Control in the Federal Government” (i.e., the Green Book) or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO Framework). [2 C.F.R. § 200.303(a)]. Accordingly, recipients and subrecipients of federal awards should base their system of internal controls over federal awards on the COSO Framework or Green Book, as follows:

1. Establish a strong control environment by ensuring that management clearly defines roles and responsibilities related to the administration of federal awards. Management must communicate that ethical behavior is a top priority and ensure staff involved in the grant administration are properly trained to carry out the federal award in compliance with governing federal and state law and the grant award terms and conditions.

• Perform a risk assessment to identify risks in the recipient or subrecipient’s grants management process. To effectively identify risk areas, the finance officer, manager, and grants administrator must be familiar with the administrative requirements established in the Uniform Guidance and the specific terms and conditions tied to each federal award. During the risk assessment process, management must identify potential risks that may result in noncompliance. For example, all direct costs charged to an award must be allowable as defined in the Uniform Guidance, Subpart E, Cost Principles. As such, management would want to assess whether there is an Allowable Cost policy in place (which is required), whether staff understands the cost items that may be charged to a particular award, and whether the accounting system can properly track grant expenditures.

• Implement control activities to mitigate the risks identified during the risk assessment process. Control activities are the policies, procedures, and processes that, when implemented, promote efficient business operations, reliable financial reporting, and compliance with governing laws, including the grant award terms and conditions. Section 9.4.3 above details the control activities that are essential to ensure a fully functional internal control system. These same controls apply to federal awards. It is particularly important to establish documentation and record retention procedures to help become audit ready. In addition, local governments must adopt the required grant policies and establish procedures to separately manage and track expenditures of federal award moneys.

• Communicate controls to employees responsible for managing the federal award and carrying out established control activities. The communication must be timely and accurate and will likely include training staff on the procedures management has implemented to help ensure compliance with governing laws and regulations.

• Monitor the grant controls to ensure that they are working and are sufficient to provide reasonable assurance of reliable financial reporting and compliance with governing laws and regulations.

9.6.1 Financial Management of Federal Awards

The Uniform Guidance mandates that recipients and subrecipients of federal awards take measures to safeguard federal moneys by implementing a financial management system that is capable of accurately tracking and accounting for expenditures of grant funds. The financial management system must meet the standards specified in 2 C.F.R. §200.302, meaning, at a minimum, the system must be capable of:

• Identifying all federal awards received and expended and the federal programs under which they were received.
• Producing accurate, current, and complete disclosure of the financial results of each federal award or program in accordance with the reporting requirements in §§ 200.328 and 200.329.
• Maintaining records that sufficiently identify the amount, source, and expenditure of federal award funds. The “records must contain information necessary to identify federal awards, authorizations, financial obligations, unobligated balances, as well as assets, expenditures, income, and interest. All records must be supported by source documentation.” [2 C.F.R. § 200.302(b)(3)].
• Comparing expenditures with budget amounts of each federal award.
• Maintaining effective control and accountability for all funds, property, and assets by safeguarding the assets and ensuring they are used for authorized purposes.

In addition, 2 C.F.R. §200.302 requires recipients and subrecipients to adopt written payment-management procedures to implement the requirements of § 200.305 and to adopt an allowable cost/cost principles policy that addresses how determinations are made regarding the allowability of costs in accordance with Subpart E and the terms and conditions of the federal award.

9.6.2 The Compliance Supplement & Internal Control

Recipients and subrecipients that expend $1 million or more in federal financial assistance during a single fiscal year must undergo a federal audit. (2 C.F.R. § 200.501). The auditor is required to obtain an understanding of the recipients or subrecipients internal control over federal programs (2 C.F.R. § 200.514). The Office of Management and Budget’s Compliance Supplement is published annually as a resource intended for auditors performing the federal single audit of major federal programs. This publication, however, is also a helpful tool for recipients and subrecipients of federal awards. The Compliance Supplement includes a Matrix of Compliance Requirements for each major federal program that indicates which of the twelve compliance areas the auditor will test during the single audit. Also, Part 6 of the Compliance Supplement includes two appendixes that provide examples of grant internal controls—Appendix I contains examples of entity-wide controls over federal awards, and Appendix II provides examples of internal controls specific to each compliance requirement. These appendixes can serve as a starting point as organizations implement internal control systems over federal awards.

9.7 Summary

A strong internal control system is necessary to help ensure the effective operation of local governments. Properly designed and functioning internal controls over key financial transactions and processes will significantly reduce the likelihood that errors or fraud will occur and/or remain undetected. When the finance officer, manager, and others take the time to model their internal control system after the framework outlined in the Green Book, this signals to employees and external stakeholders alike that the local government values its responsibility to be a good steward of public moneys and assets.