XII.4.D
Certification of Internal Controls over the Payment Process

 

SECTION OVERVIEW AND POLICIES

 

Title 2, Chapter I, Part 6.6 of the New York Codes, Rules and Regulations requires each agency to maintain adequate internal controls over the payment process to validate the agency claim certification for processing payments. These controls must include, but are not limited to, the following:

  1. To the extent feasible, separation of duties relating to vendor registration, ordering, receiving and payment functions;

  2. To the extent feasible, separation of on-line data entry of claims from claim certification functions; and

  3. Security over authorized access to agency controlled systems in the form of operator identification and passwords.

 

In addition, Part 6.6 requires the head of the agency (e.g., Commissioner, Chancellor, Executive Director) to submit an internal controls certification to the Comptroller certifying that their agency has established such a system of internal control over the payment process. The agency head is required to complete this certification annually or upon change of the agency head.

Section 110 of the State Finance Law requires agencies to authorize vouchers and expense reports to the Comptroller’s Office for audit. Section 4.B - Certification of Vouchers of this Chapter defines how agencies can designate individuals to perform this function. Agencies meet these requirements through the Certification of Internal Controls over the Payment Process.

 

Process and Document Preparation:

 

Annually, each agency head must email a signed certification form to the Comptroller’s Office to certify internal controls over:


The agency must complete and retain documentation to support its assessment of internal controls as “Satisfactory,” “Satisfactory with Weaknesses,” or “Unsatisfactory.”

Agencies hosted by the Business Service Center (BSC) or another agency are required to certify controls over the portion(s) of the payment process that take place at the agency. In cases where an agency head oversees more than one agency, the agency head should submit a separate certification form for each agency.

Please refer to the Frequently Asked Questions for further guidance. For any additional questions, please contact BSEInternalControlCert@osc.ny.gov.

Internal Controls Assessment

The agency head should use various resources, tools, and techniques to obtain evidence to support the Certification of Internal Controls over the Payment Process. These resources can include internal audit guidance, checklists, etc. Also in support of these certifications, the Comptroller’s office provides the following audit programs.

 

Accounts Payable Program Area Payments
Contracts Requiring Electronic Payments Purchase Orders
Employee Expenses Purchasing
Evidence and Record Retention Receiving
Grants SFS/FMS Access Security
Procurement Card Purchases  

 

Agencies should access the Statewide Financial System’s (SFS) Analytics to obtain data related to their SFS transactions. Please refer to the Frequently Asked Questions for further information on this topic.

 

2021 Certification

As a result of the COVID-19 public health emergency, we extended the due date for the 2021 certification to Friday, July 30, 2021.

Many agencies continue to experience challenges related to the COVID-19 public health emergency. In addition to the annual Certification of Internal Controls over the Payment Process and voucher authorizer designation process, as explained in the Voucher Authorizers section below, for the certification due by July 30, 2021, agencies were required to consider how the COVID-19 public health emergency has impacted payment processes, procedures, and related internal controls. For example, agencies should consider the following as part of their testing:



For resources to assist with the agency’s review, please see internal controls audit programs for Accounts Payable and Receiving, and consider referencing the Government Accountability Office’s COVID-19: GAGAS Audit Alert.

2022 Certification

For the certification due by April 30, 2022, in addition to the annual Certification of Internal Controls over the Payment Process and voucher authorizer designation process, each agency is required to assess controls over the proper use of a purchase order.

A purchase order (PO) is used to authorize a vendor to provide goods or services at a dollar amount within the agency’s authority as set in law or by contract. It also communicates critical information to the vendor including the contract number, specific goods or services ordered, price and delivery date.

Using a PO ensures purchasing staff follow a consistent process. For online agencies, the PO in SFS enables the State to (i) establish proper internal controls over the purchasing function, (ii) enhance procurement intelligence, and (iii) better manage planned cash spending.

 

As stated in Chapter XI-A, Section 3 - Purchase Orders of this Guide, agencies are required to use a PO for all single purchases of $10,000 or more, or where the use of a PO is otherwise required in the contract terms, from vendors classified as “procurement suppliers” in the NYS vendor file. In addition, all purchases from agency contracts require POs.

Agencies will be required to assess whether their controls ensure the proper use of purchase orders to effectively manage procurements. For example, agencies should consider the following as part of their testing:


Please refer to the following references in this Guide for additional information on these topics:

Chapter XI-A, Section 3 - Purchase Orders

Chapter XI-A, Section 9 – Receiving

Chapter XII, Section 5.F.4 - Selecting the Appropriate Payment Terms

Chapter XII, Section 8.B - Matching

 

To help agencies assess internal controls over the proper use of purchase orders, we provided an Internal Controls Audit Program.

Additional guidance on the voucher authorizer designation process can be found in the Voucher Authorizers section below.

Voucher Authorizers

Voucher authorizers are individuals authorized to certify or approve vouchers or expense reports as just, true and correct and, therefore, appropriate to pay. The agency head grants this voucher certification authority. The agency head may also identify a designee(s) who can grant voucher certification authority. In accordance with Section 4.B - Certification of Vouchers of this Chapter, annually, or upon change of the agency head, each agency should file its voucher authorizers and designees with the Comptroller’s Office. To do this, the agency should complete the Voucher Authorizer Certification as part of the Certification of Internal Controls over the Payment Process. This includes assessing the adequacy of controls over the process to designate voucher authorizers. The agency should also file the positions each of its designees hold on Attachment A of the certification form.

Please note: Agencies that authorize another agency (e.g., BSC) to approve vouchers for submission to the Comptroller’s Office must complete the Hosted Agencies section on Attachment A of the certification form to indicate the delegation of authority to the host agency.

 

To assess whether internal controls over the voucher authorizer designation process are appropriate, agencies should consider the following as part of testing:

 

Online Agencies

There are several resources available in SFS to identify voucher authorizers already established by the agency. For example, agencies that enter vouchers or expense reports online into SFS can use the NY_USER_LIST_WITH_ROLES_ALL query to obtain a list of users with the following roles, which allow them to approve vouchers or expense reports for submission to OSC: AP Approver All, AP Approver 3, Agency AP Mass Approver, TE Approver 2. Agencies that would like to obtain information about voucher approvers only can use the query NY_AP_VCHR_APPROVERS. Agencies can also use the NY_SEC_ADMIN_ACTIVITY query to identify any role changes made in SFS within a specified timeframe.

 

Bulkload Agencies

Agencies that bulkload vouchers and expense reports into SFS will need to identify the corresponding role(s) in their financial management systems and obtain the needed data from within their agency.

 

Guide to Financial Operations
REV. 01/04/2022