(a) As used in this chapter, “internal control” means a process, including a continuous built-in component of operations, effected by a state agency’s oversight body, management, and other personnel that provide reasonable assurance that the state agency’s objectives will be achieved. The following five components of internal control, if effectively designed, implemented, and operated in an integrated manner, constitute an effective internal control system:
(1) “Control environment” means the foundation for an internal control system that provides the discipline and structure to help a state agency achieve its objectives.
(2) “Risk assessment” means an assessment of the risks facing the state agency as it seeks to achieve its objectives and provides the basis for developing appropriate risk responses.
(3) “Control activities” means the actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system.
(4) “Information and communication” means the quality of vital information used and communicated to achieve the state agency’s objectives.
(5) “Monitoring” means the activities management establishes and operates to assess the quality of performance over time and promptly resolve the findings of audits and other reviews.
(b) The elements of a satisfactory system of internal control, shall include, but are not limited to, the following:
(1) A plan of organization that provides segregation of duties appropriate for proper safeguarding of state agency assets.
(2) A plan that limits access to state agency assets to authorized personnel who require these assets in the performance of their assigned duties.
(3) A system of policies and procedures adequate to provide compliance with applicable laws, criteria, standards, and other requirements.
(4) An established system of practices to be followed in performance of duties and functions in each of the state agencies.
(5) Personnel of a quality commensurate with their responsibilities.
(6) An effective system of internal review.
(7) A technology infrastructure to support the completeness, accuracy, and validity of information processed.
(c) Agency heads shall follow the standards established by this section of internal control in carrying out the requirements of Section 13402.
(d) Monitoring systems and processes are vital to the following:
(1) Ensuring that routine application of internal controls do not diminish their efficacy over time.
(2) Providing timely notice and opportunity for correction of emerging weaknesses with established internal controls.
(3) Facilitating public resources and other decisions by ensuring availability of accurate and reliable information.
(4) Facilitating production of timely and accurate financial reports, and the submittal, when appropriate, of recommendations for how greater efficiencies in support of the state agency’s mission may be attainable via the consolidation or restructuring of potentially duplicative or inefficient processes, programs, or practices where it appears such changes may be achieved without undermining program effectiveness, quality, or customer satisfaction.
(e) It shall be the responsibility of the Department of Finance, in consultation with the Controller and the California State Auditor, to establish guidelines for the management of state agencies on how the role of monitoring should be staffed, structured, and its reporting function standardized so it fits within an efficient and normalized state agency administrative framework.
(f) Agency heads shall implement systems and processes to ensure the objectivity of the monitoring of internal control as an ongoing activity in carrying out the requirements of Section 13402.
(Amended by Stats. 2015, Ch. 25, Sec. 16. (SB 84) Effective June 24, 2015.)