Introduction

Adequate internal control is a key defense (but no guarantee) against fraud, waste and program abuse. All Contractors have a responsibility to reduce the risk of fraud, waste and program abuse by implementing effective internal controls that adequately safeguards assets. This chapter compiles the applicable federal, state and agency requirements and guidance governing internal control. In the event of conflict between these standards and federal statute or regulation, the federal statute or regulation will apply. This chapter is organized as follows with examples of internal control characteristics being provided in Appendix I to this manual:

Individuals who suspect fraud, waste, or program abuse may report the matter to TWC’s Fraud and Abuse Hotline 800-252-3642. The Hotline is available 24 hours a day, 7 days a week and permits anonymous reporting.

Return to Top

General

Effective control and accountability must be maintained for all cash, real and personal property, and other assets funded by public funds.

In accordance with the Grants Management Common Rule (Common Rule) (see Appendix G to this manual for codification) and Part III of the Uniform Grant Management Standards, Contractors must maintain effective internal control and accountability for all grant and subgrant cash, real and personal property, and other assets. Contractors must adequately safeguard all such property and must assure that it is used solely for authorized purposes.

The Office of Management and Budget (OMB) Circular A-133 Compliance Supplement is a useful tool in defining what constitutes “effective internal controls” in that it provides guidance for understanding and evaluating internal control. The guidance in Part 6 of the OMB Circular A-133 Compliance Supplement reflects the definition and description of internal control as published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission in its report, “Internal Control-Integrated Framework” (COSO Report). This framework is discussed further in Section 2.2 of this manual.

The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) incorporated the components of internal control presented in the COSO Report in its Statement on Auditing Standards No. 78 (SAS 78), entitled “Consideration of Internal Control in a Financial Statement Audit.” SAS 78 is effective for all audits of financial statements for periods beginning on or after January 1, 1997. SAS 78 may be purchased from the AICPA.

Authority:

Return to Top

Components of Internal Control

Internal controls shall be designed, implemented and evaluated based on the ability of the controls to provide reasonable assurance for compliance with applicable requirements in a cost effective manner.

The OMB Circular A-133 Compliance Supplement provides assistance in complying with internal control and audit requirements by identifying types of compliance requirements and describing for each, the objective of internal control and certain characteristics of internal control that, when present and operating effectively, may ensure compliance with program requirements. The guidance, however, is not intended as a “checklist of required internal controls characteristics.” Judgment will need to be exercised in determining the most appropriate and cost effective internal control in a given environment or circumstance to provide reasonable assurance for compliance with program requirements.

The types of compliance requirements are primarily described in Parts 3 and 6 of the Compliance Supplement. Part 3 provides fourteen types of compliance requirements that it identifies as being generic to most federal programs that are administered by entities subject to the audit requirements of OMB Circular A-133. Part 6 describes internal control characteristics for thirteen of these fourteen types of compliance requirements (all except those pertaining to special tests and provisions). These characteristics, which are provided in Appendix I to this manual, are organized within the framework of the five components of internal control presented by the COSO Report discussed in Section 2.1 of this manual. The five components of internal control are:

Control Environment. According to the COSO Report, the control environment “sets the tone of an organization and influences the control consciousness of its people.” It provides structure and discipline, and forms the foundation for all other components of internal control.

Risk Assessment. Risk assessment refers to the “identification, analysis, and management of risks relevant to the preparation of financial statements that are fairly presented in conformity with generally accepted accounting principles [GAAP] (or another comprehensive basis of accounting).”

Control Activities. Control activities are the policies and procedures that help ensure that management’s directives are carried out.

Information and Communication. The identification, capture and exchange of information in a form and timeframe that enables people to carry out their responsibilities.

Monitoring. In relation to the COSO report and SAS 78, monitoring refers to the process used to assess the quality of internal control performance over time.

Authority:

Return to Top

Fraud

Fraud, program abuse [including waste], possible illegal expenditures, unlawful activity, violations of law, Agency rules, or policies and procedures occurring under any grant or program contract awarded by the Agency are prohibited. Suspicion of such misuse must be reported to the Agency’s Office of Investigations no later than five business days from the date of discovery of such act.

Contractors shall establish and implement procedures for preventing, reporting, investigating, and taking appropriate legal and/or administrative action concerning any fraud, program abuse, possible illegal expenditures, unlawful activity, violations of law or Agency rules, or policies and procedures occurring under any grant or program contract awarded by the Agency. Any board member, staff, or subcontractor staff having knowledge of such misuse is required to report such information to the Agency’s Office of Investigations no later than five business days from the date of discovery of such act. Contact information for the Agency’s Office of Investigations is provided in Appendix E to this manual.

Individuals who suspect fraud, waste, or program abuse may report the matter to the Agency’s Fraud and Abuse Hotline 800-252-3642, which is available 24 hours a day, 7 days a week and permits anonymous reporting. Contractors shall establish and implement reasonable internal program management procedures that are sufficient to ensure that its employees, participants, and subcontractors are aware of this Hotline. Hotline posters shall be displayed to ensure maximum exposure to all persons associated with or having an interest in the programs or services provided under a grant or contract awarded by the Agency.

The Office of Investigations may elevate the report to the appropriate federal or state authority, accept the case for investigation and/or action at the state level, or return the case to the Contractor or subcontractor for action including, but not limited to:

  • Further investigation
  • Referral for prosecution under the Texas Penal Code, or other federal or state laws
  • Other corrective action, as may be appropriate

In the event that the Agency refers the case back to the Contractor or subcontractor, the Contractor or subcontractor shall submit a final investigation closing report to the Office of Investigations upon completing the investigation and after all feasible avenues of legal and/or corrective action have been taken.

Contractors shall ensure the confidentiality of all reports of violations as listed above except as provided by law or court order. No retaliation shall be taken against any person filing a report. For additional information about reporting fraud, including examples of reportable violations, see Reporting Fraud.

Authority:
Agency-Board Agreement §19

Return to Top