Under M.S. 16A.057, “the head of each executive agency is responsible for designing, implementing and
maintaining an effective internal control system.” The control environment is one of five components contained in the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) internal control framework that lays out the elements of an effective internal control system. The control environment is the foundation for all other components of internal control, and sets the tone of the organization, influencing the control consciousness of its people. It provides discipline and structure as well as the climate that influences the quality of internal control. The development and annual assessment of the control environment will help management to fully comprehend their overall control environment, determine how well it is performing, and identify any needed improvements. Senior management support is critical for the successful documentation and evaluation of the internal control structure.
This document and the control environment self-assessment tool provide agency management with a tool to use in documenting and evaluating their agency’s control environment. The self-assessment tool is based on
COSO’s widely recognized internal control framework utilized by United States public companies, the federal government, and state governments to develop internal control systems within their organizations. Use of this particular self-assessment tool is optional and may be supplemented with another substantially similar tool of the agency’s choosing. However, each agency must apply a formal method to document and evaluate the overall state of their control environment annually.
The self-assessment tool is grouped into four sections as follows:
1.
Demonstrates Commitment to Integrity and Ethical Values and Enforces Accountability

Management believes that integrity and ethical values cannot be compromised and communicates this message to employees through policy statements and codes of conduct, and by leading by example

Communication can be both formal and informal

Management clearly communicates its philosophy and operating style to all employees through a mission statement, goals, and objectives

Management promotes a strong internal control structure
2.
Establishes Structure, Authority, and Responsibility

Management takes responsibility for defining key areas of authority, responsibility, and establishing appropriate lines of reporting

Organization charts illustrate the reporting structure and are made available to employees

Communication to employees may occur in several formats, including delegations of authority, segregation of duties, and limiting access to sensitive information and vulnerable assets
1

3.
Demonstrates Commitment to Competence

Management has standards for hiring qualified people, and clearly communicates these expectations in the form of policies and procedures for hiring, orienting, training, evaluating, coaching, promoting, compensating, and disciplining personnel

Management ensures employees possess appropriate skills and knowledge to effectively perform their jobs, including maintaining effective internal controls. This assurance appears in several forms, including minimum hiring qualification standards, training, and periodic performance evaluations
4.
Exercises Oversight Responsibility

Management maintains good working relationships with its oversight groups, including the legislature, oversight committees, board members, and the Office of the Legislative Auditor

Oversight groups positively influence the agency’s control environment by monitoring its mission, goals, and financial performance
1.
Goal (column A) and Control Objective (column B)
The control environment self-assessment tool consists of twenty goals that are consistent with establishing a strong control environment. Each of the twenty goals is further broken down into one or more control objective(s).
2.
Recommended Controls (column C)
For each goal and control objective identified within the tool, a set of recommended controls is listed.
The recommended controls are intended to help management consider the degree to which the control objective is functioning. Many recommended controls relate to existing state laws and policies, while some reflect business best practices.
1 The list of recommended controls is not all inclusive, but is provided as a starting point. Agency management is encouraged to add controls relevant to their agency, as appropriate.
3.
Assessment (column D)
Use this space to document your assessment of the recommended or identified controls. Assessments should be ranked 1 – 3, with a rank of 1 (Excellent) indicating that the status of the corresponding goal, control objective, and recommended control are very strong within the agency. A ranking of 2
(Adequate) should be given to situations where no perceived control gap exists, but there is room for improvements in the basic structure and/or efficiency and strength of the control(s). A ranking of 3
(Inadequate) should be given where additional action must be taken immediately to remedy a perceived control gap.
4.
Action Taken/Controls Implemented (column E)
Use this space to document the actions taken and controls implemented within your agency to address the corresponding goal, control objective, and/or recommended controls. Agencies are encouraged to identify and document any best practices.
5.
Action Items/Areas Needing Improvement (column F)
1 The MMB Internal Control & Accountability Unit's website provides general links to facilitate research on statutes, rulings and statewide policies/procedures.
2

Use this space to document areas within the agency that do not currently meet the identified goal, control objective, and/or recommended controls. Identifying areas needing improvement is the first step toward improving the issue and establishing a strong control environment.
6.
Target Completion Date (column G)
Indicate an estimated date for when the identified action item(s) will be completed, in an effort to ensure corrective action is taken and to hold those assigned responsibility accountable.
7.
Responsible Party (column H)
Identify a responsible party to ensure accountability of outstanding action item(s).
8.
References (column I)
A list of applicable policies, procedures, statutes, rules, and reference materials are provided. Agency management is encouraged to add any agency specific policies and procedures, or other outside references that may apply to their agency’s achievement of the corresponding goal, control objective, and/or recommended control(s), as appropriate.
Additional space is provided at the end of each section for agency management to note their overall assessment and related comments for each key principle. Additional space is also provided for a summary assessment of the overall control environment at the end of the tool.
A copy of the completed self-assessment tool, along with any supporting control documentation should be organized and retained, either electronically or in hard copy. Organizing this information in a logical manner will provide easy access for future updates, revisions, and handling requests from internal or external parties, such as internal or external auditors.
Documentation will vary by agency. The amount of documentation gathered to evidence the control environment depends on an agency’s size, complexity of its organizational structure, and the business activities it performs. Actual documentation may include agency mission, goals, objectives, organization charts, signed code of ethics/conduct certifications, policies and procedures, etc. However, the information required to document a specific agency’s control environment should become apparent as the agency works through the control environment tool.
1.
Committee on Sponsoring Organizations of the Treadway Commission (COSO). (1994). Internal Control –
Integrated Framework. American Institute of Certified Public Accountants.
2.
Gauthier, S. J. (1994). An Elected Official’s Guide to Internal Controls and Fraud Prevention. Government
Finance Officers Association.
3

3.
IT Governance Institute. (September 2006). IT Control Objectives for Sarbanes-Oxley: The Role of IT in the
Design and Implementation of Internal Control Over Financial Reporting. Information Systems Audit and
Control Association (ISACA).
4.
National Association of State Auditors, Controllers and Treasurers (NASACT). (2008, July). The Internal
Control Guidebook. Retrieved December 14, 2010, from NASACT website: http://www.nasact.org
.
5.
Raftery, W. J. (1997 ( revised in 2005), April). State of Wisconsin: Instructions for the Preparation of an
Agency Internal Control Plan. Retrieved December 14, 2009, from NASACT website: http://www.nasact.org
.
6.
United States General Accounting Office. (1999, November). Standards for Internal Control in the
Federal Government . Retrieved March 22, 2010, from GAO website: http://www.gao.gov
.
4