D F S Header
FLDFS HOME | CONTACT US | SITEMAP | SEARCH FLDFS
    

Division of Accounting and Auditing
 

PART FIVE - Internal Controls

Activities Allowed or Unallowed | Cash Management | Eligibility | Equipment and Real Property Management | Matching | Period of Availability of State Funds | Reporting | Subrecipient Monitoring

Section 215.97(10), Florida Statutes, The Florida Single Audit Act, requires auditors conducting a state single audit of recipients or subrecipients to obtain an understanding of internal controls, assess control risk and, unless the controls are deemed to be ineffective, perform tests of controls. Additionally, auditors are to determine whether the nonstate entity has internal controls in place to provide reasonable assurance of compliance with the provisions of laws, regulations, and other rules, pertaining to state awards that have a material effect on each major state project.

Part Five is intended to assist auditors in complying with these requirements by describing for each type of compliance requirement, the objectives of internal control and certain characteristics of internal control that when present and operating effectively may ensure compliance with project requirements. However, the categorizations reflected in Part Five might not necessarily reflect how an entity considers and implements internal control. Also, this part is not a checklist of required internal control characteristics. Nonstate entities could have adequate internal control even though some or all of the characteristics included in Part Five are not present. Further, nonstate entities could have other appropriate internal controls operating effectively that have not been included in Part Five. Nonstate entities and their auditors will need to exercise judgment in determining the most appropriate and cost effective internal control in a given environment or circumstance to provide reasonable assurance for compliance with state project requirements.

The characteristics of internal control are presented in the context of the components of internal control as incorporated in the Statement on Auditing Standards No. 78 (SAS 78), Consideration of Internal Control in a Financial Statement Audit, issued by the Auditing Standards Board of the American Institute of Certified Public Accountants. Thus, Part Five describes characteristics of internal control relating to each of the five components of internal control that should reasonably assure compliance with the requirements of state laws, rules, and project compliance requirements. A description of components of internal control as defined by SAS 78 is listed below, as well as examples of characteristics common to the 10 compliance requirements. Objectives of internal control and examples of characteristics specific to each of the compliance requirements (except Special Tests and Provisions) follow this introduction.

Control Environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.

  • A sense of conducting operations ethically, as evidenced by a code of conduct or other verbal or written directive, is established.

  • Management responds in a positive manner to control recommendations.

  • Management exhibits respect for and adherence to project compliance requirements.

  • Key managers’ responsibilities are clearly defined.

  • Key managers have adequate knowledge and experience to discharge their responsibilities.

  • Staff is knowledgeable about compliance requirements and able to communicate all instances of noncompliance to management.

  • Management’s commitment to competence ensures that staff receive adequate training to perform their duties.

  • Management supports an adequate information and reporting system.

Risk Assessment is the entity’s identification and analysis of relevant risks to the achievement of its objective, forming a basis for determining how the risks should be managed.

  • Project managers and staff understand and have identified key compliance objectives.

  • Organizational structure provides identification of risks of noncompliance:
    • Key managers have been given the responsibility to identify and communicate changes.
    • Employees who require close supervision are identified.
    • Management has identified and assessed complex operations, programs, or projects.
    • Management is aware of the results of monitoring, audits, and reviews and considers related risk of noncompliance.

  • A process is established to implement changes in project objectives and procedures.

Control Activities are the policies and procedures that help ensure that management directives are carried out.

  • Operating policies and procedures are clearly written and communicated.

  • Procedures are in place to implement changes in laws and rules.

  • Management prohibits intervention or overriding established controls.

  • Adequate segregation of duties provided between the performance, review, and record-keeping of a task.

  • Computer and project controls include:
    • Data entry controls.
    • Exception reporting.
    • Access controls.
    • Reviews of input and output data.
    • Computer general controls and security controls.

  • Supervision of employees is commensurate with their level of competence.

  • Personnel has adequate knowledge and experience to discharge responsibilities.

  • Equipment, inventories, cash, and other assets are secured physically and are periodically counted and compared to recorded amounts.

Information and Communication are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.

  • The accounting system provides for separate identification of state and nonstate transactions.

  • Adequate source documentation exists to support amounts and items reported.

  • A record keeping system is established to ensure that accounting records and documentation retained for the time period required by laws, rules, and contracts or grant agreements applicable to the project.

  • Reports are provided timely to managers for review and appropriate action.

  • Accurate information is accessible to those who need it.

  • Reconciliations and reviews ensure accuracy of reports.

  • Internal and external communication channels are established.

  • Employees’ duties and control responsibilities are effectively communicated.

  • Channels of communication for people to report suspected improprieties are established.

  • Actions are taken as a result of communications received.

  • Channels of communication with subrecipients are established.

Monitoring is a process that assesses the quality of internal control performance over time.

  • Ongoing monitoring is established through independent reconciliations, staff meeting feedback, rotating staff, supervisory review, and management review of reports.

  • Periodic site visits are performed at decentralized locations (including subrecipients) and checks are performed to determine whether procedures are being followed as intended.

  • Irregularities and deficiencies are followed up to determine causes.

  • Internal quality control reviews are performed.

  • Management meets with project monitors, auditors, and reviewers to evaluate the condition of the project and controls.

  • Internal audit routinely tests for compliance with state requirements.

Return To Top

A./B. Activities Allowed or Unallowed and Allowable Costs  

Control Objectives

To provide reasonable assurance that state financial assistance is expended only for allowable activities and that the costs of goods and services charged to state awards are allowable and in accordance with applicable cost principles.

Control Environment

  • Management sets reasonable budgets for state and nonstate projects so that no incentive exists to miscode expenditures.
  • Management enforces appropriate penalties for misappropriation or misuse of funds.
  • An organization-wide cognizance of the need for separate identification of allowable costs exists.
  • Management provides personnel approving and pre-auditing expenditures with a list of allowable and unallowable expenditures.

Risk Assessment

  • There exists a process for assessing risks resulting from changes to cost accounting systems.
  • Key managers have sufficient understanding of staff, processes, and controls to identify where unallowable activities or costs could be charged to a state project and not be detected.

Control Activities

  • Accountability is provided for charges and costs between state and nonstate activities.
  • Computations are checked for accuracy.
  • Supporting documentation is compared to a list of allowable and unallowable expenditures.
  • Adjustments to unallowable costs are made where appropriate and follow-up action taken to determine the cause.
  • There exists adequate segregation of duties in the review and authorization of costs.
  • Accountability for authorization is fixed in an individual who is knowledgeable of the requirements for determining activities allowed and allowable costs.

Information and Communication

  • Reports, such as a comparison of budget to actual, are provided to appropriate management for review on a timely basis.
  • Communication channels on activities and costs allowed have been established.
  • Training programs provide knowledge and skills necessary to determine activities and costs allowed.
  • Management and staff interact regarding questionable costs.
  • Grant agreements (including referenced project laws, rules, guidelines, etc.) and the Department of Financial Services' Reference Guide for State Expenditures Handbook are available to staff responsible for determining activities allowed and allowable costs.

Monitoring

  • Management reviews supporting documentation of allowable cost information.
  • There is a flow of information from the state agency to appropriate management personnel.
  • Comparisons are made with budget and expectations of allowable costs.
  • Analytical reviews (e.g., comparison of budget to actual or prior year expenditures to current year expenditures) and audits are performed.

Return To Top

C. Cash Management

Control Objectives

To provide reasonable assurance that advances and reimbursements comply with state law and that interest income is correctly recorded and returned to the state agency or applied against the contract or grant agreement unless a waiver is obtained from the Chief Financial Officer.

Control Environment

  • There exists appropriate assignment of responsibility for approval of reimbursement requests.

Risk Assessment

  • Management has identified projects that receive cash advances and is aware of interest income requirements.

Control Activities

  • There exists an appropriate level of supervisory review of cash management activities.
  • There is a written policy that provides repayment of excess interest earning where required.

Information and Communication

  • Variance reporting of expected versus actual cash disbursements of state financial assistance occurs.

Monitoring

  • Entity cash management, budget and actual results, and repayment of excess interest earnings are periodically evaluated.

Return To Top

D. Eligibility

Control Objectives

To provide reasonable assurance that only eligible individuals and organizations receive assistance under state projects, that subawards are made only to eligible subrecipients, and that amounts provided to or on behalf of eligibles were calculated in accordance with project requirements.

Control Environment

  • Staff size and competence provides for proper making of eligibility determinations.
  • Realistic caseload/performance targets are established for eligibility determinations.
  • Lines of authority are clear for determining eligibility.

Risk Assessment

  • The risk that eligibility information prepared internally or received from external sources could be incorrect is identified.
  • Conflict of interest statements are maintained for individuals who determine eligibility.
  • Process for assessing risks resulting from changes to eligibility determination systems is established.

Control Activities

  • Written policies provide direction for making and documenting eligibility determinations.
  • Procedures to calculate eligibility amounts are consistent with project requirements.
  • Eligibility objectives and procedures are clearly communicated to employees.
  • Authorized signatures on eligibility documents are periodically reviewed.
  • Access to eligibility records is limited to appropriate persons.
  • Manual criteria checklists or automated processes are used in making eligibility determinations.
  • Process for periodic eligibility re-determinations are in accordance with project requirements.
  • The accuracy of information used in eligibility determinations is verified.
  • Procedures to ensure the accuracy and completeness of data used to determine that eligibility requirements are in place.

Information and Communication

  • Information system meets the needs of eligibility decision-makers and project management.
  • Processing of eligibility information is subject to edit checks and balancing procedures.
  • Training programs inform employees of eligibility requirements.
  • Channels of communication exist for people to report suspected eligibility improprieties.
  • Management is receptive to suggestions to strengthen the eligibility determination process.
  • Documentation of eligibility determinations is in accordance with project requirements.

Monitoring

  • Management performs periodic analytical reviews of eligibility determinations.
  • Project quality control procedures are performed.
  • Periodic audits of detailed transactions are performed.

Return To Top

E. Equipment and Real Property Management

Control Objectives

To provide reasonable assurance that proper records are maintained for equipment acquired with state financial assistance, equipment is adequately safeguarded and maintained, and disposition or encumbrance of any equipment or real property is in accordance with state requirements.

Control Environment

  • Management is committed to providing proper stewardship for property acquired with state financial assistance.
  • No incentives exist to undervalue assets at time of disposition.
  • Sufficient accountability exists to discourage the temptation of misuse of state assets.

Risk Assessment

  • Procedures are in place to identify risk of misappropriation or improper disposition of property acquired with state financial assistance.
  • Management understands the requirements and operations sufficiently to identify potential areas of noncompliance.

Control Activities

  • Accurate records are maintained on all acquisitions and dispositions of property acquired with state financial assistance.
  • Property tags are placed on equipment.
  • A physical inventory of equipment is periodically taken and compared to property records.
  • Property records contain description (including serial number or other identification number), source, titleholder, acquisition date and cost, percentage of state participation in the cost, location, condition, and disposition data.
  • Policies and procedures are in place for the responsibility of record keeping and the authority for disposition.

Information and Communication

  • Accounting system provides for separate identification of property acquired wholly or partly with state funds and with nonstate funds.
  • A channel of communication exists for people to report suspected improprieties in the use or disposition of equipment.
  • Project managers are provided with applicable requirements and guidelines.

Monitoring

  • Management reviews the results of periodic inventories and follows up on inventory discrepancies.
  • Management reviews dispositions of property to ensure appropriate valuation and reimbursement to state awarding agencies.

Return To Top

F. Matching

Control Objectives

To provide reasonable assurance that matching requirements are met using only allowable funds or in-kind contributions that are properly calculated and valued.

Control Environment

  • Commitment from management to meet matching requirements (e.g., adequate budget resources to meet a specified matching requirement or maintain a required level of effort) is demonstrated.
  • The budgeting process addresses and provides adequate resources to meet matching requirements.
  • Official written policy exists outlining:
    • Responsibilities for determining required amounts or limits for matching.
    • Methods of valuing matching requirements.
    • Allowable costs that may be claimed for matching.
    • Methods of accounting for and documenting amounts used to calculate amounts claimed for matching.

Risk Assessment

  • Areas where estimated values will be used for matching have been identified.
  • Management has sufficient understanding of the accounting system to identify potential recording problems.

Control Activities

  • Evidence has been obtained or other procedures performed to identify whether matching contributions:
    • Are from nonstate sources.
    • Involve state funding, directly or indirectly.
    • Were used for another state-assisted project.
      Note: Generally, matching contributions must be from a nonstate source and may not involve state funding or be used for another state-assisted project.
  • Monthly cost reports and adjusting entries are adequately reviewed.

Information and Communication

  • Accounting system is capable of:
    • Separately accounting for data used to support matching amounts, limits or calculations.
    • Ensuring that expenditures or expenses, refunds, and cash receipts or revenues are properly classified and recorded only once as to their effect on matching.
    • Documenting the value of "in-kind" contributions of property or services, including:
      • Basis for local labor market rates for valuing volunteer services.
      • Payroll records or confirmation from other organizations for services provided by their employees.
      • Quotes, published prices, or independent appraisals used as the basis for donated equipment, supplies, land, buildings, or use of space.

Monitoring

  • Supervisory review of matching activities is performed to assess the accuracy and allowability of transactions and determinations.

Return To Top

G. Period of Availability of State Funds

Control Objectives

To provide reasonable assurance that state funds are used only during the authorized period of availability.

Control Environment

  • Management understands and is committed to complying with the period of availability requirements.
  • Entity's operations are such that it is unlikely there will be state funds remaining at the end of the period of availability.

Risk Assessment

  • The budgetary process considers the period of availability of state funds as to both obligation and disbursement.
  • The period of availability cut-off requirements as to both obligation and disbursement is identified and communicated.

Control Activities

  • Accounting system prevents obligation or expenditure of state funds outside of the period of availability.
  • The review of disbursements is by a person knowledgeable of the period of availability of funds.
  • End of grant period cut-offs are met by such mechanisms as advising project managers of impending cut-off dates and review of expenditures just before and after the cut-off dates.
  • Unliquidated commitments at the end of the period of availability are cancelled.

Information and Communication

  • The period of availability requirements and expenditure deadlines, including automated notifications of pending deadlines, are timely communicated to individuals responsible for project expenditures.
  • Periodic reporting of unliquidated balances is communicated to appropriate levels of management.

Monitoring

  • Expenditures before and after the cut-off date are periodically reviewed to ensure compliance with the period of availability requirements.
  • Management reviews reports showing budget and actual for period.

Return To Top

H. Reporting

Control Objectives

To provide reasonable assurance that reports of state financial assistance submitted to the state awarding agency include all activity of the reporting period, are supported by underlying accounting or performance records, and are fairly presented in accordance with project requirements.

Control Environment

  • Persons preparing, reviewing, and approving the reports possess the required knowledge, skills, and abilities.
  • Management's attitude toward reporting promotes accurate and fair presentation.
  • The responsibility and delegation of authority for reporting decisions is appropriately assigned.

Risk Assessment

  • Mechanisms exist to identify risks of faulty reporting caused by such items as lack of current knowledge of, inconsistent application of, or carelessness or disregard for standards and reporting requirements of state awards.
  • The underlying source data or analysis for performance or special reporting that may not be reliable is identified.

Control Activities

  • A written policy exists that establishes responsibility and provides the procedures for periodic monitoring, verification, and reporting of project progress and accomplishments.
  • A tracking system is in place that reminds staff when reports are due.
  • The general ledger or other reliable records are the basis for reports.
  • Supervisory review of reports is performed to assure accuracy and completeness of data and information included in reports.
  • The required accounting method is used (e.g., cash or accrual).

Information and Communication

  • An accounting or information system that provides for the reliable processing of financial and performance information for state financial assistance is operating.

Monitoring

  • Communications from external parties corroborate information included in the reports for state financial assistance.
  • Periodic comparison of reports to supporting records is performed.

Return To Top

I. Subrecipient Monitoring

Control Objectives

To provide reasonable assurance that state financial assistance information and compliance requirements are identified to subrecipients, subrecipient activities are monitored, subrecipient audit findings are resolved, and the impact of any subrecipient noncompliance on the project is evaluated. Also, the recipient should perform procedures to provide reasonable assurance that the subrecipient obtained required audits and takes appropriate corrective action on audit findings.

Control Environment

  • Management's commitment to monitoring subrecipients is established.
  • Management's intolerance of overriding established procedures to monitor subrecipients is exhibited.
  • Entity's organizational structure and its ability to provide the necessary information flow to monitor subrecipients are adequate.
  • Sufficient resources are dedicated to subrecipient monitoring.
  • Knowledge, skills, and abilities needed to accomplish subrecipient monitoring tasks are defined.
  • Individuals performing subrecipient monitoring possess the knowledge, skills, and abilities required.
  • Subrecipients demonstrate that:
    • They are willing and able to comply with the requirements of the award and
    • They have accounting systems, including the use of applicable cost principles, and internal control systems adequate to administer the award.
  • Appropriate sanctions are taken for subrecipient noncompliance.

Risk Assessment

  • Key managers understand the subrecipient's environment, systems, and controls sufficient to identify the level and methods of monitoring required.
  • Mechanisms exist to identify risks arising from external sources affecting subrecipients, such as risks related to:
    • Economic conditions.
    • Political conditions.
    • Regulatory changes.
    • Unreliable information.
  • Mechanisms exist to identify and react to changes in subrecipients, such as:
    • Financial problems that could lead to diversion of grant funds.
    • Loss of essential personnel.
    • Loss of license or accreditation to operate project.
    • Rapid growth.
    • New activities, products, or services.
    • Organizational restructuring.

Control Activities

  • The state financial assistance information (e.g., CSFA title and number, project name, name of state agency, amount of award) and applicable compliance requirements are identified to subrecipients.
  • Agreements with subrecipients include the requirement to comply with the requirements applicable to the state project including the audit requirements of Section 215.97, Florida Statutes, and the applicable rules of the Department of Financial Services and the Auditor General.
  • Subrecipient's compliance with audit requirements are monitored using techniques such as the following:
    • Determining by inquiry and discussions whether the subrecipient met thresholds requiring an audit under Section 215.97, Florida Statutes.
    • If an audit is required, assuring that the subrecipient submits the financial reporting package required by Section 215.97, Florida Statutes.
    • If a subrecipient was required to obtain an audit in accordance with Section 215.97, Florida Statutes, but did not do so, following up with the subrecipient until the audit is completed, taking appropriate actions until the subrecipient meets the audit requirements.
  • Subrecipient's compliance with state project requirements are monitored using such techniques as the following:
    • Monitoring findings to inform the subrecipient whether the corrective action planned is acceptable.
    • Maintaining a system to track and following-up on reported deficiencies related to projects funded by the recipient and ensure that timely corrective action is taken.
    • Regular contacts with subrecipients and appropriate inquiries concerning the state project.
    • Monitoring subrecipient budgets.
    • Performing site visits to the subrecipient to review financial and programmatic records and observe operations.
    • Offering subrecipients technical assistance where needed.
  • Written policies and procedures exist establishing:
    • Communication of state project requirements to subrecipients.
    • Responsibilities for monitoring subrecipients.
    • Process and procedures for monitoring.
    • Methodology for resolving findings of subrecipient noncompliance or weaknesses in internal control.
    • Requirements for and processing of subrecipient audits.

Information and Communication

  • Standard award documents used by the nonstate entity contain:
    • A listing of state requirements that the subrecipient must follow. Items can be specifically listed in the award document, attached as an exhibit to the document, or incorporated by reference to specific criteria.
    • The description and project number for each project as stated in the Catalog of State Financial Assistance (CSFA).
    • A statement signed by an official of the subrecipient, stating that the subrecipient was informed of, understands, and agrees to comply with the applicable compliance requirements.
  • A record keeping system is in place to assure that documentation is retained for the time period required by the recipient.
  • Procedures are in place to provide channels for subrecipients to communicate concerns to the recipient.

Monitoring

  • A tracking system is established to assure timely submission of required reporting, such as: financial reports, performance reports, audit reports, on-site monitoring reviews of subrecipients, and timely resolution of audit findings.
  • Supervisory reviews are performed to determine the adequacy of subrecipient monitoring.
Return To Top
Florida Single Audit Act | Catalog of State Financial Assistance | State Projects Compliance Supplement | Rules of the Department of Financial Services | Section 215.97, Florida Statutes, Florida Single Audit Act | Links/Forms

CONSUMER HELPLINE: 1-800-342-2762
Florida Department of Financial Services · 200 East Gaines Street · Tallahassee, Florida 32399-0300 · Privacy Statement