SECTION OVERVIEW AND POLICIES
Internal Controls Assessment
Title 2, Chapter I, Part 6, Section 6.6 of the New York Codes, Rules and Regulations requires the head of an agency (e.g., Commissioner, Chancellor, Executive Director) to certify to the Comptroller annually, or at any time there is a new head of the agency, that the agency has sufficient internal controls over the payment process to ensure claims are appropriate to pay. Agency heads may use a variety of resources and techniques to obtain assurance about the internal controls over the payment process as a basis for that certification.
- To the extent feasible, separation of duties relating to vendor registration, ordering, receiving and payment functions;
- To the extent feasible, separation of online data entry of claims from claim certification functions; and
- Security over authorized access to agency-controlled systems in the form of operator identification and passwords.
Voucher Authorizer Designation
Section 110 of the State Finance Law requires the head of an agency or a designee to certify or approve the agency’s vouchers and expense reports to the Office of the State Comptroller for audit. To designate an individual other than the agency head to perform this function, the agency must file a written directive with the Office of the State Comptroller. Please see the Voucher Authorizers section below for additional information on this requirement.
Process and Document Preparation:
Annually, each agency head must email a signed certification form to the Office of the State Comptroller to certify internal controls over the:
- payment process, including specific segment(s) or focus area(s) in the subsequent section, Internal Controls Assessment; and
- voucher authorizer designation process.
The agency must complete and retain documentation to support its assessment of internal controls as “Satisfactory,” “Satisfactory with Weaknesses” or “Unsatisfactory.”
Agencies hosted by the Business Services Center (BSC) or another entity are required to certify controls over the portion(s) of the payment process that takes place at the agency. In cases where an agency head oversees more than one agency, the agency head should submit a separate certification form for each agency.
The agency head should use a variety of resources, tools and techniques to obtain evidence to support the Certification of Internal Controls over the Payment Process. These may include internal audit programs, checklists and/or the following programs provided by the Office of the State Comptroller:
|Procurement Card Purchases
|Contracts Requiring Electronic Payments
|Program Area Payments
|Credit Card Reconciliation
|Evidence and Record Retention
|SFS/FMS Access Security
Agencies should access reports in the Statewide Financial System’s (SFS) Analytics to obtain data. The Internal Controls Certification Frequently Asked Questions document contains additional guidance about these reports.
For the certification due by April 30, 2024, in addition to the annual Certification of Internal Controls over the Payment Process, which includes the Voucher Authorizer Certification, each agency is required to assess the effectiveness of its controls over grant contract payments.
The agency should perform a risk assessment of its various grant contracts (e.g., Expense Reimbursement Grant Contracts, Net Deficit Funded Grant Contracts, Performance Based Grant Contracts) to determine the audit’s scope, sample and testing plan.
For the 2024 certification, agencies should assess controls over State-funded grant payments. Agencies may also consider assessing internal controls over Federally-funded grant payments if a risk assessment identifies this as a priority risk area.
At a minimum, for each contract type, agencies will be required to determine the following:
Expense Reimbursement Grant Contracts:
- Expenses claimed were in accordance with the terms and conditions of the grant contracts and the agency had a process to review grant budget expenditures, documentation appropriateness, etc.
- Grantees received the goods/services claimed for reimbursement and the agency had a process to review the timing of services was appropriate, supplies and materials purchased were received and used for the grant program, etc.
- Employees and consultants claimed as working on the program actually worked for the program and the agency had a process to review salaries/rates charged were accurate, staff time charged was appropriate, fringe benefit claims were allowable, etc.
Net Deficit Funded Grant Contracts:
- Funds paid through net deficit funded contracts were appropriately reconciled and supported; the agency had a process to review whether the grantee owed and paid all excess funds to the State; and revenue and expenses were accurately reported, etc.
Performance Based Grant Contracts:
- Funds paid through performance based contracts met the required grant objectives; the agency had a process to review required performance goals, indicators, milestones and/or expected outcomes were within specified timelines; and grantees provided benefits to eligible recipients, where applicable, etc.
To assist the agency’s audit objectives and testing, please see the “Grants” audit program included within the Internal Controls Assessment of this GFO Section.
For the certification due by April 30, 2025, in addition to the annual Certification of Internal Controls over the Payment Process, which includes the Voucher Authorizer Certification, each agency will be required to assess the effectiveness of controls over bulkload and voucher mass approval payment processing.
Voucher authorizers are individuals authorized to certify or approve vouchers or expense reports as just, true and correct and, therefore, appropriate to pay. In accordance with Chapter XII, Section 4.B - Certification of Vouchers, annually, or upon change of the agency head, each agency should file its voucher authorizers and designees with the Office of the State Comptroller by completing the Voucher Authorizer Certification. This includes assessing the effectiveness of controls over the process to designate voucher authorizers. The agency should also file the positions each of its designees hold on Attachment A of the certification form.
Agencies that authorize another agency (e.g., Office of General Services’ BSC) to approve vouchers for submission to the Office of the State Comptroller must complete the Hosted Agencies section on Attachment A of the certification form to indicate the delegation of authority to the host agency.
- Agencies will be required to determine the effectiveness of controls over the voucher authorizer designation process. This includes testing a sample of transactions to ensure policies are being followed appropriately. The agency’s testing must include, but not be limited to, determining whether the agency has documented:
- Relevant policies and procedures to coincide with SFS policies over user access and role assignments, or the policies of the applicable financial management system for bulkload agencies, if applicable.
- That those responsible for performing voucher authorizer updates, (e.g., agency security administrators, security designees) implemented them appropriately.
There are several resources in SFS to identify voucher authorizers. For example, queries are available for online agencies to obtain a list of (i) users with roles that allow them to approve vouchers and expense reports, and (ii) historical role changes by user. Information about queries can be found in SFS Coach.
Agencies that bulkload vouchers and expense reports into SFS will need to identify the corresponding role(s) in their financial management systems and obtain the needed data from within their agency’s system.
For additional guidance on voucher authorizers, please see GFO Chapter XII, Section 4.B – Certification of Vouchers and Chapter XIII, Section 2.C - Expense Report Certification.
Guide to Financial Operations