Internal Controls

The Governmental Accountability, Audit and Internal Control Act (Chapter 814, Laws of 1987) directs state agencies to develop internal control programs.  Internal controls are defined as "the plan of organization and all of the coordinate methods and measures adopted within an organization to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency and encourage adherence to prescribed managerial policies."  Through this function, agencies periodically audit their programs and operations to ensure that appropriate internal control measures are in place and to promote sound management.  The overall objective of agency internal control audits is to identify areas of agency operations susceptible to abuse or misuse and to focus resources on control of the most vulnerable and important aspects of operations.

Records Not Covered:  Records created and maintained by the Office of the State Comptroller or Division of the Budget documenting oversight of agency internal control programs.

*90308  Internal Control Policies and Directives 
Final versions of agency policies and directives governing internal control requirements and procedures for agency program units and staff.  These records may also include associated memoranda, bulletins, and manuals which explain agency internal control policies.

Minimum Retention and Disposition:  Destroy 3 years after the policy or directive is withdrawn, revised, or superseded.

Justification:  The issuing office should retain policies for a minimum of 3 years after they are withdrawn, revised, or superseded for use in development of subsequent policies and procedures.  Copies of obsolete policies and procedures have no value to other offices.

90309  Vulnerability Assessment Files 
Correspondence, memoranda, survey forms, risk assessments, and reports created and collected during the course of surveys and studies which identify areas of agency operations susceptible to abuse or misuse.

Minimum Retention and Disposition:  Destroy 3 years after completion of assessment.

Justification:  Background materials are used for reference and to plan for subsequent internal control audits.

90310  Internal Control Audit Work Papers 
Plans, analyses, research materials, draft reports, background materials and related records used to plan and prepare internal control audit reports.

Minimum Retention and Disposition:  Destroy 1 year after completion of an audit report.

Justification:  These records are used for reference for 1 year following the release of an audit report.

*90311 Internal Control Audit Reports 
Reports documenting the findings of internal control audits of agency program areas and recommendations for improvements.

Minimum Retention and Disposition:  Destroy 3 years after completion of the next internal control audit report for the concerned program area.

Justification:  Internal control audit reports may be used during the next audit cycle to monitor compliance with internal control program recommendations.

90312  Corrective Action Files 
Reports, memoranda, and other records documenting responses by program units to vulnerability assessment reports and to internal audit reports.

Minimum Retention and Disposition:  Destroy 3 years after issue has been settled.

Justification:  Records may be useful in program audits by Office of the State Comptroller and other control agencies.

90313  Internal Control Program Subject Files
Reference files used to support the development and administration of agency internal control programs, including reports, plans, articles, policies and procedures, and related material, arranged by subject on topics such as risk management, risk assessment, management practices, operational efficiency, and audit methods.

Minimum Retention and Disposition:  Destroy when obsolete or superseded.

Justification:  These records have no legal or fiscal value.