FIN-6.15 - Internal Controls and Management's Responsibility

Administrative Rules Adopted by City Council (ARC)
Policy number
Administrative Rule Adopted by Council

The purpose of this administrative rule is to establish minimum standards for the establishment of internal controls, and to describe management’s responsibility to establish and monitor such controls.

Authority for this administrative rule is established in the City Charter and City Code.  This administrative rule has been approved by the City Council.

The Accounting Division of the Bureau of Financial Services of the Office of Management and Finance (Accounting Division) will periodically monitor bureaus to assess compliance with the minimum standards of this rule.  As instances of non-compliance are identified, bureaus will be required to develop and implement a corrective action plan.  The Accounting Division will provide assistance to bureaus, if requested, to develop this plan.  The Controller will report all instances of non-compliance annually to the Chief Financial Officer (CFO) and City Council.

“City management” for purposes of this administrative rule means collectively the Mayor, City Council, City Auditor, administrative and financial officers, bureau directors, managers, and supervisors.
“Internal Control” means a process designed to minimize risk by providing reasonable assurance of accurate and reliable financial reporting, compliance with applicable laws and regulations, safeguarding of assets, effective and efficient operations, and accomplishment of management’s goals and objectives.
“Control environment” means an organization’s culture or tone with regard to internal control and represents the foundation for other internal control components. 
“Risk assessment” means evaluation of factors both inside and outside an organization that may expose an organization to risks that may prevent it from accomplishing management’s goals or objectives.
“Control activities” are written policies and procedures and other directives and practices that communicate management direction to minimize risk.

Management’s Responsibility for Internal Controls
1.      City management provides governance, guidance, and oversight to City operations and is ultimately responsible for internal controls.
2.      City management shall be responsible for establishing and maintaining internal controls and for developing policies and procedures to implement such controls.
3.      City management shall be further responsible for evaluating internal controls on a regular basis and modifying them as appropriate and as needed.
4.      City management shall demonstrate commitment to strong internal controls through its leadership, communications, personnel practices, ethics, and daily actions.
5.      City management shall be responsible for providing employees with the information and training necessary to ensure compliance with internal controls.
6.      Each bureau’s management shall formally acknowledge its responsibility for internal control in the form of a letter of representation to be submitted annually to the City Controller.

Internal Control Overview
1.      The establishment and monitoring of internal control shall be an on-going process.
2.      Internal controls may be preventive, detective, or corrective.
3.      The strength of controls placed in operation shall be based on management’s policy to tolerate, monitor, or avoid recognized risks.
4.      Internal controls shall be designed to provide reasonable, but not necessarily absolute, assurance that:
  • City goals and objectives are met;
  • Financial reporting is reliable;
  • Assets are safeguarded;
  • Transactions are accurately and properly recorded and executed in accordance with management authorization;
  • Errors and irregularities are prevented to the greatest extent possible; and
  • Errors and irregularities that do occur are detected, reported, and corrected in a timely manner.
5.      Internal controls shall rely on the compliance of individual City employees; however, such reliance shall recognize the risk created by:
  • Management override,
  • Collusion by two or more individuals,
  • Improper maintenance of adequate segregation of duties and functions,
  • Negligence in updating controls as processes or objectives change,
  • Laxity in providing adequate training as needed and on a continuing basis, or
  • Failure to detect mistakes made in the course of ordinary business.
6.      City management shall appropriately balance the risks and costs of internal controls in such a manner that the costs to control do not outweigh the benefits of such controls.

Five Components of Internal Control
Internal control consists of the following five interrelated components with no single component taking precedence over another component:
  1. Control Environment
  2. Risk Assessment
  3. Control Activities
  4. Information and Communication
  5. Monitoring
Each component is addressed below.

Control Environment
City management shall be responsible for establishing the City’s control environment and shall set the tone regarding internal controls with respect to:
  • Integrity and ethical values,
  • Commitment to employee competence,
  • Philosophy and operating style,
  • Organizational structure,
  • Assignment of authority and responsibility, and
  • Human resource policies and practices.

Risk Assessment
City management shall be responsible for assessment of risk in all City operations.  Risk shall be identified and managed based on the likelihood of occurrence and the degree of impact.  Response to such risk shall include development and implementation of appropriate internal controls and shall consider the relative cost of implementing such controls versus the benefits to be attained.  Such risks include:
  • Rapid growth in operations,
  • Changes in personnel,
  • Organizational restructuring, such as centralizing or decentralizing,
  • New activities or service areas,
  • New or revised information systems,
  • New technologies in service delivery or information systems,
  • Changes in the operating, including the regulatory, environment, and
  • New or updated accounting practices and/or financial reporting required by accounting pronouncements.

Control Activities
City management shall be responsible for establishing the structure and operational policies and procedures that ensure that City goals and objectives are met.  Such control activities include but are not limited to the following:
  • Creation and maintenance of written documentation of policies, processes, and procedures;
  • Physical controls to safeguard assets, such as lock boxes, access codes, prenumbered forms, required signatures, and physical counts of inventories and assets;
  • Physical controls to safeguard records, such as passwords, access codes, computer back-ups, and a computer disaster recovery plan;
  • Segregation of duties so that no individual has complete control over a process and therefore the capacity to both create and conceal errors or irregularities;
  • Information processing controls to ensure that transactions are valid, properly authorized, complete, and accurate;
  • Maintenance of adequate documentation in support of transactions, such as original invoices, cash receipts, employee time records, and mileage logs;
  • Periodic account reconciliations, and
  • Performance reviews, including budget-to-actual comparisons.

Information and Communication
City management shall be responsible for identification, capture, communication, and, where appropriate, publication, of pertinent information in a form and timeframe that ensures that City goals and objectives may be met.  Such information shall flow downward, across, and upward throughout the organization, and shall additionally flow between external parties and City business partners as appropriate.  Examples of such communication are:
  • Management-authorized job descriptions for all personnel,
  • Written documentation of policies and procedures,
  • AnnualCity budget and revised budget documents,
  • Periodic accounting and budget-comparison information and reports, and
  • Financial reports prepared for external distribution such as the Comprehensive Annual Financial Report.

Monitoring of Internal Control
City management shall be responsible for monitoring internal control including on-going assessment of the effectiveness of controls, policies, procedures, and accounting system design and operation and shall further be responsible for any corrective action needed to address control weaknesses so identified. 
  • Monitoring may be performed by City personnel, including the City Auditor, Audit Services Division, and Accounting Division, or monitoring activities may be contracted out to outside parties.
  • Any errors or irregularities that indicate internal controls weaknesses shall be reported to the City Controller within one business day after they are discovered.
  • The City Controller shall annually report all instances of non-compliance to the Chief Financial Officer (CFO) and City Council.

Resolution No. 36435, adopted by Council September 6, 2006.

Search Code, Charter, Policy