Rule 117-2-01 | Internal controls.

(A) All public officials are responsible for the design and operation of a system of internal control that is adequate to provide reasonable assurance regarding the achievement of objectives for their respective public offices in certain categories, including but not limited to the categories enumerated in paragraph (B) of this rule.

(B) "Internal control" means a process effected by those charged with governance, management, and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

(1) Reliability of financial reporting;

(2) Effectiveness and efficiency of operations;

(3) Compliance with applicable laws and regulations; and

(4) Safeguarding of assets against unauthorized acquisition, use or disposition.

(C) Internal control consists of the following five interrelated components:

(1) Control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.

(2) Risk assessment, which is the entity's identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed so as to identify and assess the risks of material misstatements, whether due to fraud or error, at the financial statement and relevant assertion levels.

(3) Control activities, which are policies and procedures that help ensure management directives are carried out so as to identify and assess the risks of material misstatements, whether due to fraud or error, at the financial statement and relevant assertion levels.

(4) Information and communication, which are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.

(5) Monitoring, which is a process that assesses the quality of internal control performance over time.

(D) When designing the public office's system of internal control and the specific control activities, management should consider the following:

(1) Ensure that all transactions are properly authorized in accordance with management's policies.

(2) Ensure that accounting records are properly designed.

(3) Ensure adequate security of assets and records.

(4) Plan for adequate segregation of duties or compensating controls.

(5) Verify the existence and valuation of assets and liabilities and periodically reconcile them to the accounting records.

(6) Perform analytical procedures to determine the reasonableness of financial data.

(7) Ensure the collection and compilation of the data needed for the timely preparation of financial statements.

(8) Monitor activities performed by service organizations.

(E) Consideration should be given to the cost benefit of the controls. The cost of controls should not exceed their benefit.