Internal Controls Policy

Version: 1.00Issue Date: 2/18/2015

This Internal Controls Policy ensures that internal control goals and objectives are met.

1.0 Overview

This Internal Controls Policy will help ensure internal controls are effective, problems are quickly reported and addressed, and change control meets its purpose to assure changes are implemented without incident.

2.0 Purpose

This Internal Controls Policy requires that internal controls are effectively monitored and improved to maximize their effectiveness and meet their purpose. The purpose of internal controls should be to establish and continue security, reliability, efficiency, and communication in support of customers and internal business requirements.

3.0 Scope

This Internal Controls Policy applies to all information technology activities and projects and all personnel managing or working on any information technology activities or projects. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Internal Controls

Internal controls include:

  • Management activities
  • Testing
  • Change control/management
  • Security controls such as access controls
  • Auditing
  • Problem resolution and escelation
  • Project management/risk management

5.0 Internal Controls Requirements

  • Internal controls must be effective, timely and taken seriously by all those affected or who enforce internal controls.
  • Procedures must exist that require internal controls to be executed, such as change control/management.
  • Internal controls require enforcement and accountability to be effective.
  • Policies and procedures for internal control managing, planning, monitoring, and reporting must be in place.
  • Management must support internal controls and be ready to remedy internal control deficiencies.
  • An internal controls plan must exist listing each internal control area and high level objectives for each area.
  • For each high level control objective, key controls must be identified and documented.
  • For each key control, responsibility must be documented and communicated when the controls are put in place.
  • Internal controls must have specific requirements that support the business functionality. This could mean that internal controls support quality or other business requirements.
  • The information technology control framework combined with a risk analysis should be used to determine and define IT areas needing controls applied.
  • IT control areas and requirements must be reflected in formal contracts when the contractor provides services in areas requiring controls.
  • Training must be available about the internal controls policy and the internal controls framework so affected staff understand their responsibilities.
  • Internal control responsibilities must be formally assigned and communicated.
  • Internal control responsibilities must be included in training.
  • A formal internal control section must be created with professionals that are specialized in the internal controls areas. Certificied professionals are desireable for these positions.
  • The internal control section should be periodically assessed by an independent expert and the internal control section should be improved as required.

6.0 Internal Controls Monitoring

  • Management must monitor internal controls and their effectiveness.
  • Procedures must be created for the purpose of monitoring internal controls. Internal controls monitoring must be thorough, accurate, and timely.
  • Shortcomings or deviations in internal controls must be communicated to those responsible and their management which must be corrected.
  • Any serious internal control deviations must be reported to upper management.
  • Levels of management that must be involved when reporting and resolving internal control shortcomings must be established. Accountability for reporting and resolution must be established by procedure or set by management.
  • User access controls must be effective and implemented in a timely manner.
  • When access control exceptions are made, the exceptions must be documented and evidence of privilege use must be kept for review. Control exceptions must be reported to management.
  • Where problems with data control are found, they must be immediately reported, analyzed, and addressed with corrective action. The organizational problem management system should be used to ensure the problem is adequately resolved.
  • Procedures must be created to be sure that any problems or internal control failures are:
    • Quickly reported
    • Analyzed
    • Corrected
  • When internal controls fail to work properly, it must be reported in a timely manner.
  • Procedures for reporting and resolving internal control failures must be developed and used. Procedures should consider integrity and preservation of evidence, cause analysis, and timely corrective steps.
  • Problem resolution procedures and a problem tracking system should be used to implement internal control corrections.
  • Exceptions to external controls must be reported to the appropriate level of management.
  • The definition of an external control exception must be formalized by creating and defining thresholds and conditions that show internal controls are not working or lacking.
  • The risks of internal control breakdowns must be considered.
  • Evidence of exceptions to external controls must be documented and kept for review.

7.0 Internal Controls Monitoring Improvement

  • The state of organizational internal control must be assessed and reported on a regular basis.
  • An improvement program for continuous improvement of internal controls monitoring must be created and used regularly.
  • The internal control monitoring system must be monitored to be sure it is effective, through, and timely.
  • Internal controls must be evaluated on a regular basis by independent auditors who do not report to the management in charge of the controls being evaluated. The frequency of evaluations must be determined by management based on need.
  • Internal control process evaluations should be based upon best practices.
  • Frequency of evaluation of the internal control process should consider industry standards.
  • Processes for monitoring internal controls must be created and used. The processes must support objective evaluations.
  • Responsibility and roles for monitoring internal controls and reporting results must be assigned and defined.
  • Those who review internal controls and who review the internal control framework must be qualified through experience and training.
  • Reporting internal control results must be to the proper level of management who can require and enforce corrective action.
  • Data about the state of internal controls must be kept and analyzed to be sure any lacking areas of control are corrected.

7.0 Information Technology Internal Control Service Certification/Accreditation

  • When critical information technology service is established, an independent accreditation or certification must be conducted. These services should be reassessed annually.
  • A process for independent accreditation and certification of new critical services must be created.
  • Assessments of services should focus on security, reliability, and internal control.
  • Staff performing assessments of services must be skilled through a combination of training and experience.
  • Staff performing assessments must be trained in security and internal controls.
  • If an internal team is used for assessments, they must be independent of the management whose system is being assessed.
  • If an external organization is contracted to perform assessments contractual agreements must require organizational policy to be followed, non-disclosure agreements must be in place and enforced, and contractors must have background checks performed same as internal employees.
  • If an external organization is contracted to perform assessments contractual agreements must define scope, requirements, and liability for errors.
  • Certifications and accreditations must comply with best practices and applicable standards.
  • All testing during certifications or accreditations must be planned and documented.
  • All testing during certifications or accreditations must be oriented to test system performance against requirements.
  • Certification and accreditation test results must be summarized in a report and sent to all stakeholders.
  • Certification and accreditation test results must be kept for review.

8.0 Certification/Accreditation of Third Party Service Providers

  • Third party service providers should agree by contract to provide an accreditation report.
  • Third party service providers should agree by contract to provide accreditation reports on a re-occurring basis.
  • Third parties must show status of any control exceptions found during a certification or accreditation. The frequencies of updates to this status must be agreed to and stipulated in the contract.
  • Procedures for creating contracts must ensure that contracted third party services follow this policy.
  • The third party service provider must do or show one of the following:
    • Certified by an organization acceptable to our organization and the service party.
    • The third party service provider allows access for initial and subsequent certifications and accreditations.
    • The third party service provider provides certification/assessment reports based upon their internal audits which show satisfactory evidence that the service has been properly assessed.
    • A SAS70 type II report covers the service provided by the third party.

9.0 Enforcement

Since following the Internal Controls Policy is important to meet the business needs of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

10.0 Other Policies

  • Change Management Policy
  • Development Life Cycle Policy
  • Quality Policy
  • Service Level Policy
  • Confidential data/information disposal policy (electronic and hard copy)

11.0 Additional Requirements

  • Procedures for reporting and resolving internal control failures must be developed and used. Procedures should consider integrity and preservation of evidence, cause analysis, and timely corrective steps.
  • A process for independent accreditation and certification of new critical services must be created.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________