Certification of Internal Controls over the Payment Process
SECTION OVERVIEW AND POLICIES
Title 2, Chapter I, Part 6.6 of the New York Codes, Rules and Regulations requires each agency to maintain adequate internal controls over the payment process to validate the agency claim certification for processing payments. These controls must include, but are not limited to, the following:
To the extent feasible, separation of duties relating to vendor registration, ordering, receiving and payment functions;
To the extent feasible, separation of on-line data entry of claims from claim certification functions; and
Security over authorized access to agency controlled systems in the form of operator identification and passwords.
In addition, Part 6.6 requires the head of the agency (e.g., Commissioner, Chancellor, Executive Director) to submit an internal controls certification to the Comptroller certifying that their agency has established such a system of internal control over the payment process. The agency head is required to complete this certification annually or upon change of the agency head.
Section 110 of the State Finance Law requires agencies to authorize vouchers and expense reports to the Comptroller’s Office for audit. Section 4.B - Certification of Vouchers of this Chapter defines how agencies can designate individuals to perform this function. Agencies meet these requirements through the Certification of Internal Controls over the Payment Process.
Process and Document Preparation:
Annually, each agency head must email a signed certification form to the Comptroller’s Office to certify internal controls over:
- the payment process;
- specific segments of the payment process or payment types identified by year in the subsequent section, Internal Controls Assessment; and
the voucher authorizer designation process.
The agency must complete and retain documentation to support its assessment of internal controls as “Satisfactory,” “Satisfactory with Weaknesses,” or “Unsatisfactory.”
Agencies hosted by the Business Service Center (BSC) or another agency are required to certify controls over the portion(s) of the payment process that take place at the agency. In cases where an agency head oversees more than one agency, the agency head should submit a separate certification form for each agency.
The agency head should use various resources, tools, and techniques to obtain evidence to support the Certification of Internal Controls over the Payment Process. These resources can include internal audit guidance, checklists, etc. Also in support of these certifications, the Comptroller’s office provides the following audit programs.
|Accounts Payable||Program Area Payments|
|Contracts Requiring Electronic Payments||Purchase Orders|
|Evidence and Record Retention||Receiving|
|Grants||SFS/FMS Access Security|
|Procurement Card Purchases|
Agencies should access the Statewide Financial System’s (SFS) Analytics to obtain data related to their SFS transactions. Please refer to the Frequently Asked Questions for further information on this topic.
As a result of the COVID-19 public health emergency, we extended the due date for the 2021 certification to Friday, July 30, 2021.
Many agencies continue to experience challenges related to the COVID-19 public health emergency. In addition to the annual Certification of Internal Controls over the Payment Process and voucher authorizer designation process, as explained in the Voucher Authorizers section below, for the certification due by July 30, 2021, agencies were required to consider how the COVID-19 public health emergency has impacted payment processes, procedures, and related internal controls. For example, agencies should consider the following as part of their testing:
- Did the agency have proper procedures to ensure it obtained sufficient and appropriate documentation to approve payments while a significant number of employees worked from home? This should include an assessment of how the agency obtained assurance that it received goods and services appropriately.
- Has the agency updated its internal controls to account for applicable new laws, regulations, and responsibilities related to the use or disbursement of government funds made available as part of the response to the COVID-19 pandemic?
For resources to assist with the agency’s review, please see internal controls audit programs for Accounts Payable and Receiving, and consider referencing the Government Accountability Office’s COVID-19: GAGAS Audit Alert.
For the certification due by April 30, 2022, in addition to the annual Certification of Internal Controls over the Payment Process and voucher authorizer designation process, each agency is required to assess controls over the proper use of a purchase order.
A purchase order (PO) is used to authorize a vendor to provide goods or services at a dollar amount within the agency’s authority as set in law or by contract. It also communicates critical information to the vendor including the contract number, specific goods or services ordered, price and delivery date.
Using a PO ensures purchasing staff follow a consistent process. For online agencies, the PO in SFS enables the State to (i) establish proper internal controls over the purchasing function, (ii) enhance procurement intelligence, and (iii) better manage planned cash spending.
As stated in Chapter XI-A, Section 3 - Purchase Orders of this Guide, agencies are required to use a PO for all single purchases of $10,000 or more, or where the use of a PO is otherwise required in the contract terms, from vendors classified as “procurement suppliers” in the NYS vendor file. In addition, all purchases from agency contracts require POs.
Agencies will be required to assess whether their controls ensure the proper use of purchase orders to effectively manage procurements. For example, agencies should consider the following as part of their testing:
- Did the agency issue POs where required?
Did the PO line(s) describe in detail the specific goods or services ordered as well as the related price(s)?
Did the agency properly configure the PO for receiving?
Did the agency ensure POs reference the appropriate payment and discount terms offered by the vendor?
Please refer to the following references in this Guide for additional information on these topics:
To help agencies assess internal controls over the proper use of purchase orders, we provided an Internal Controls Audit Program.
Additional guidance on the voucher authorizer designation process can be found in the Voucher Authorizers section below.
Voucher authorizers are individuals authorized to certify or approve vouchers or expense reports as just, true and correct and, therefore, appropriate to pay. The agency head grants this voucher certification authority. The agency head may also identify a designee(s) who can grant voucher certification authority. In accordance with Section 4.B - Certification of Vouchers of this Chapter, annually, or upon change of the agency head, each agency should file its voucher authorizers and designees with the Comptroller’s Office. To do this, the agency should complete the Voucher Authorizer Certification as part of the Certification of Internal Controls over the Payment Process. This includes assessing the adequacy of controls over the process to designate voucher authorizers. The agency should also file the positions each of its designees hold on Attachment A of the certification form.
Please note: Agencies that authorize another agency (e.g., BSC) to approve vouchers for submission to the Comptroller’s Office must complete the Hosted Agencies section on Attachment A of the certification form to indicate the delegation of authority to the host agency.
To assess whether internal controls over the voucher authorizer designation process are appropriate, agencies should consider the following as part of testing:
- What is the agency’s process for designating voucher authorizers?
- Are there documented policies and procedures for this process? If so, does the agency ensure they are relevant and employees, such as Agency Security Administrators (ASA) or security designee(s), implement them as outlined in the agency policies and procedures?
- Do agency policies and procedures coincide with SFS policies over user access and role assignments, or the policies of the applicable FMS for bulkload agencies?
There are several resources available in SFS to identify voucher authorizers already established by the agency. For example, agencies that enter vouchers or expense reports online into SFS can use the NY_USER_LIST_WITH_ROLES_ALL query to obtain a list of users with the following roles, which allow them to approve vouchers or expense reports for submission to OSC: AP Approver All, AP Approver 3, Agency AP Mass Approver, TE Approver 2. Agencies that would like to obtain information about voucher approvers only can use the query NY_AP_VCHR_APPROVERS. Agencies can also use the NY_SEC_ADMIN_ACTIVITY query to identify any role changes made in SFS within a specified timeframe.
Agencies that bulkload vouchers and expense reports into SFS will need to identify the corresponding role(s) in their financial management systems and obtain the needed data from within their agency.