Standard List of Internal Controls (SLIC)
Internal Audit offers consulting services to help you identify applicable controls for your processes and point you to internal controls and best practices. The primary purpose of internal controls is to help safeguard an organization and further its objectives. Internal controls function to minimize risks and protect assets, ensure accuracy of records, promote operational efficiency, and encourage adherence to policies, rules, regulations, and laws.
| Control Number | Process | Sub-Process | What (Objective) | Why (Risk or Exposure) | How (Applicable Controls) |
|---|---|---|---|---|---|
| A1-1.1.1 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Cash receipts (post-dated checks, checks for deposit) are physically safeguarded. | Possible loss or theft of cash and postdated checks may occur. | Cash and postdated checks are kept in a locked, secure place prior to deposit. |
| A1-1.1.2 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Cash receipts (post-dated checks, checks for deposit) are physically safeguarded. | Possible loss or theft of cash and postdated checks may occur. | Where feasible and cost justified electronic surveillance is used. |
| A1-1.1.3 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Cash receipts (post-dated checks, checks for deposit) are physically safeguarded. | Possible loss or theft of cash and postdated checks may occur. | Access codes (e.g., lock combinations, keys) are restricted and changed as needed (e.g., when a key has been lost or combination shared). |
| A1-1.1.4 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Cash receipts (post-dated checks, checks for deposit) are physically safeguarded. | Possible loss or theft of cash and postdated checks may occur. | Situations where cash is held overnight should be avoided; however, when necessary additional measures segregating cash from those who can access the cash should be taken (e.g., keys should not be kept with lock bags). |
| A1-2.1.1 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Only authentic cash and near cash instruments (e.g., currency / bills, credit / debit cards) are accepted. | Possible loss of actual cash (change) and theft of goods or services. | Cash and near cash instruments (e.g., currency / bills, credit / debit cards) are reviewed for authenticity. Checks and money orders are made payable to the County, not individuals. |
| A1-3.1.1 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Cash receipts from all identified sources are deposited timely. | Late or inaccurate information in evaluating customer accounts and/or loss or theft of cash receipts may result in inaccurate financial reporting. | Cash receipts from all identified sources are deposited timely. County policy requires all balances greater than $250 or older than six (6) days be deposited (see G.S. 159-32). |
| A1-3.1.2 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Cash receipts from all identified sources are deposited timely. | Late or inaccurate information in evaluating customer accounts and/or loss or theft of cash receipts may result in inaccurate financial reporting. | Checks are restrictively endorsed immediately upon receipt. |
| A1-4.1.1 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Cash receipts from all identified sources are reconciled against bank deposits and/or bank statements timely. | Loss or theft of cash / near cash may not be detected in a timely manner. | Cash and near cash deposits from all sources are reconciled against deposits and bank statements. |
| A1-4.1.2 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Cash receipts from all identified sources are reconciled against bank deposits and/or bank statements timely. | Loss or theft of cash / near cash may not be detected in a timely manner. | Cash and near cash remittances that do not agree to amounts owed to the County are suspended and investigated. Unidentified cash remittances are immediately returned to the payers or deposited into a suspense account for further research. |
| A1-5.1.1 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | All cash has an accountable steward. | Multiple stewards of cash may result in inadequate safeguarding and subsequent loss of the cash. | Cash assigned to an employee (e.g., cash drawer) is counted and the employee acknowledges accountability for the cash |
| A1-5.1.2 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | All cash has an accountable steward. | Multiple stewards of cash may result in inadequate safeguarding and subsequent loss of the cash. | All cash is counted and then returned by the employee to supervision, who acknowledges receipt of the cash. Cash logs should be maintained per Records Retention policies. |
| A1-6.1.1 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Cash receipts are recorded completely and accurately. Cash sources include product sales, accounts receivable collections, asset sales, discard sales, intercounty transfers, and any other sources. Payment types include cash, check, Automated Clearing House (ACH), wire transfer, credit cards, and autoscribe (payment processing.) | Cash receipts may not be recorded when received and cash amounts deposited may not equal cash receipts recorded. | All cash deposits are promptly recorded in the general ledger / applied to the correct account (payer) when received and a reconciliation is made daily of all cash deposits to the general ledger. |
| A1-6.1.2 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Cash receipts are recorded completely and accurately. Cash sources include product sales, accounts receivable collections, asset sales, discard sales, intercounty transfers, and any other sources. Payment types include cash, check, Automated Clearing House (ACH), wire transfer, credit cards, and autoscribe (payment processing.) | Cash receipts may not be recorded when received and cash amounts deposited may not equal cash receipts recorded. | All transactions (includes sales, refunds and voids) are recorded and valid documents (e.g., receipts) given. |
| A1-6.1.3 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Cash receipts are recorded completely and accurately. Cash sources include product sales, accounts receivable collections, asset sales, discard sales, intercounty transfers, and any other sources. Payment types include cash, check, Automated Clearing House (ACH), wire transfer, credit cards, and autoscribe (payment processing.) | Cash receipts may not be recorded when received and cash amounts deposited may not equal cash receipts recorded. | Payment advice types and/or cash application programs are configured for all types of incoming payments to facilitate matching of receipts to customer accounts. |
| A1-6.1.4 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Cash receipts are recorded completely and accurately. Cash sources include product sales, accounts receivable collections, asset sales, discard sales, intercounty transfers, and any other sources. Payment types include cash, check, Automated Clearing House (ACH), wire transfer, credit cards, and autoscribe (payment processing.) | Cash receipts may not be recorded when received and cash amounts deposited may not equal cash receipts recorded. | Unapplied cash receipts are reviewed and cleared timely. |
| A1-6.1.5 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Cash receipts are recorded completely and accurately. Cash sources include product sales, accounts receivable collections, asset sales, discard sales, intercounty transfers, and any other sources. Payment types include cash, check, Automated Clearing House (ACH), wire transfer, credit cards, and autoscribe (payment processing.) | Cash receipts may not be recorded when received and cash amounts deposited may not equal cash receipts recorded. | Bank accounts related to cash, near cash and accounts receivable activity are reconciled to the general ledger monthly. |
| A1-6.1.6 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Cash receipts are recorded completely and accurately. Cash sources include product sales, accounts receivable collections, asset sales, discard sales, intercounty transfers, and any other sources. Payment types include cash, check, Automated Clearing House (ACH), wire transfer, credit cards, and autoscribe (payment processing.) | Cash receipts may not be recorded when received and cash amounts deposited may not equal cash receipts recorded. | Cash losses / shortages are promptly identified and reported to: - Department Management - Finance (Treasurer's Office) - Internal Audit - Law Enforcement |
| A1-6.2.1 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Cash receipts are recorded completely and accurately. Cash sources include product sales, accounts receivable collections, asset sales, discard sales, intercounty transfers, and any other sources. Payment types include cash, check, Automated Clearing House (ACH), wire transfer, credit cards, and autoscribe (payment processing.) | Credit card information may be compromised manually or electronically. | Payment Card Industry ("PCI") standards are monitored and followed. Refer to PCI Standards for applicable internal risks and controls. https://www.pcisecuritystandards.org/ |
| A1-7.1.1 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Petty cash and Change Funds are safeguarded, used only for approved purposes; proper approval and documentation are kept. | Petty cash and Change Funds are used for County purposes and/or misappropriated. | Petty cash funds are assigned to one individual. Funds are only disbursed upon proper approval with only proper documentation. Funds and receipts are kept and replenishment / reconciliation is performed as needed, but at least annually. |
| A1-7.1.2 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Petty cash and Change Funds are safeguarded, used only for approved purposes; proper approval and documentation are kept. | Petty cash and Change Funds are used for County purposes and/or misappropriated. | Change funds (cash drawers) are assigned to one individual. Funds are only used to complete sales transactions. Funds are counted / deposited each day per State and County guidelines. |
| A1-8.1.1 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Lock box systems and records are appropriately safeguarded. | Loss or unauthorized changes may occur and go undetected. | Access to lock box systems and records is appropriately restricted and is reviewed, at least annually, by management. |
| A1-9.1.1 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Records (e.g., receipts, deposits, bank statements, reconciliations) are safeguarded and maintained per Record Retention policies. | Records to are not maintained; transaction and custody evidence is lost. | Records (e.g., receipts, deposits, bank statements, reconciliations) are reviewed at least annually for safeguarding and maintenance per State and County Record Retention policies (see: https://archives.ncdcr.gov/government/local). |
| A1-10.1.1 | A - Cash and Cash Handling | A1 - Cash Receipts and Application | Adequate segregation of duties exists among the authorization, custody of assets, recording of transactions and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities, and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit for more information. The following duties segregated among at least two individuals: - Authorize cash receipts - Record cash receipts - Deposit cash receipts - Reconcile cash receipts |
| B1-1.1.1 | B - Procurement | B1 - Purchasing | All purchasing transactions have legitimate business need or purpose, are recorded accurately and are properly authorized in accordance with applicable authority limitations. | Goods or services may be acquired in excess of business need or for unauthorized or personal use. Commitment of funds to suppliers may not be properly approved or reflected and may result in inaccurate financial reporting. Loss of objectivity in vendor selection may result in increased cost to the County. | Purchasing transactions (e.g., contracts, POs, requisitions and Purchase Cards (P-Cards)) are approved by persons with the appropriate cost / capital approval in accordance with County policy. Transactions should not be split to bypass higher level of review or authorization. |
| B1-1.1.2 | B - Procurement | B1 - Purchasing | All purchasing transactions have legitimate business need or purpose, are recorded accurately and are properly authorized in accordance with applicable authority limitations. | Goods or services may be acquired in excess of business need or for unauthorized or personal use. Commitment of funds to suppliers may not be properly approved or reflected and may result in inaccurate financial reporting. Loss of objectivity in vendor selection may result in increased cost to the County. | Purchases are executed (placing the order with a vendor / supplier) by individuals with proper execution authority. |
| B1-1.1.3 | B - Procurement | B1 - Purchasing | All purchasing transactions have legitimate business need or purpose, are recorded accurately and are properly authorized in accordance with applicable authority limitations. | Goods or services may be acquired in excess of business need or for unauthorized or personal use. Commitment of funds to suppliers may not be properly approved or reflected and may result in inaccurate financial reporting. Loss of objectivity in vendor selection may result in increased cost to the County. | Purchasing transactions (e.g., contracts, POs, requisitions and Purchase Cards (P-Cards)) are verified for completeness and accuracy in accordance with County policies. |
| B1-1.1.4 | B - Procurement | B1 - Purchasing | All purchasing transactions have legitimate business need or purpose, are recorded accurately and are properly authorized in accordance with applicable authority limitations. | Goods or services may be acquired in excess of business need or for unauthorized or personal use. Commitment of funds to suppliers may not be properly approved or reflected and may result in inaccurate financial reporting. Loss of objectivity in vendor selection may result in increased cost to the County. | Supplier rebates are clearly documented to identify volume, dollars and frequency. Volumes are monitored. Rebates are correctly reflected in the financial statements and are collected when due. |
| B1-1.1.5 | B - Procurement | B1 - Purchasing | All purchasing transactions have legitimate business need or purpose, are recorded accurately and are properly authorized in accordance with applicable authority limitations. | Goods or services may be acquired in excess of business need or for unauthorized or personal use. Commitment of funds to suppliers may not be properly approved or reflected and may result in inaccurate financial reporting. Loss of objectivity in vendor selection may result in increased cost to the County. | Purchasing transactions (e.g., contracts, POs, requisitions and Purchase Cards (P-Cards)) that have not had activity in the past year are reviewed to ensure they are still valid. |
| B1-1.1.6 | B - Procurement | B1 - Purchasing | All purchasing transactions have legitimate business need or purpose, are recorded accurately and are properly authorized in accordance with applicable authority limitations. | Goods or services may be acquired in excess of business need or for unauthorized or personal use. Commitment of funds to suppliers may not be properly approved or reflected and may result in inaccurate financial reporting. Loss of objectivity in vendor selection may result in increased cost to the County. | Guidance is in place to minimize purchase orders or equivalent from being created for products or services already covered by an agreement. |
| B1-1.1.7 | B - Procurement | B1 - Purchasing | All purchasing transactions have legitimate business need or purpose, are recorded accurately and are properly authorized in accordance with applicable authority limitations. | Goods or services may be acquired in excess of business need or for unauthorized or personal use. Commitment of funds to suppliers may not be properly approved or reflected and may result in inaccurate financial reporting. Loss of objectivity in vendor selection may result in increased cost to the County. | Where applicable, purchasing transactions (e.g., contracts, POs, and requisitions) are reviewed for embedded financial derivatives, leases (including capital vs. operating), and guarantees prior to execution. Relevant information is communicated appropriately. |
| B1-1.1.8 | B - Procurement | B1 - Purchasing | All purchasing transactions have legitimate business need or purpose, are recorded accurately and are properly authorized in accordance with applicable authority limitations. | Goods or services may be acquired in excess of business need or for unauthorized or personal use. Commitment of funds to suppliers may not be properly approved or reflected and may result in inaccurate financial reporting. Loss of objectivity in vendor selection may result in increased cost to the County. | Purchase Order Change orders are clearly documented to avoid duplicate orders; change orders are properly approved. |
| B1-2.1.1 | B - Procurement | B1 - Purchasing | Purchasing information records held in the system are current. | Purchase contracts / agreements and information records that are not regularly maintained may result in: - purchases from suppliers other than the optimal vendor - purchases based on inaccurate/ outdated information - the County's interests may not be adequately protected in terms of price, indemnification, quality standards, and audit rights. These risks may result in financial loss and/or inaccurate financial statements. | Buyers (Departmental and/or Purchasing) review and maintain agreements in accordance with County policy to ensure they are accurate and current. Expiring contracts / agreements are identified and communicated as appropriate. |
| B1-2.1.2 | B - Procurement | B1 - Purchasing | Purchasing information records held in the system are current. | Purchase contracts / agreements and information records that are not regularly maintained may result in: - purchases from suppliers other than the optimal vendor - purchases based on inaccurate/ outdated information - the County's interests may not be adequately protected in terms of price, indemnification, quality standards, and audit rights. These risks may result in financial loss and/or inaccurate financial statements. | When County policy requires a formal contract, properly approved standard contract templates are used whenever possible. Deviations from the standard contract templates are approved by Legal prior to authorization. |
| B1-2.1.3 | B - Procurement | B1 - Purchasing | Purchasing information records held in the system are current. | Purchase contracts / agreements and information records that are not regularly maintained may result in: - purchases from suppliers other than the optimal vendor - purchases based on inaccurate/ outdated information - the County's interests may not be adequately protected in terms of price, indemnification, quality standards, and audit rights. These risks may result in financial loss and/or inaccurate financial statements. | Unpriced purchase orders (i.e., orders where no unit prices are documented) are monitored in accordance with County policy. |
| B1-2.1.4 | B - Procurement | B1 - Purchasing | Purchasing information records held in the system are current. | Purchase contracts / agreements and information records that are not regularly maintained may result in: - purchases from suppliers other than the optimal vendor - purchases based on inaccurate/ outdated information - the County's interests may not be adequately protected in terms of price, indemnification, quality standards, and audit rights. These risks may result in financial loss and/or inaccurate financial statements. | Emergency orders and requisitions confirming these orders are avoided where possible and used in accordance with County policy. There is a review of emergency order trends. |
| B1-3.1.1 | B - Procurement | B1 - Purchasing | The vendor master file reflects vendors that have been approved to do business with the County. Vendor master file additions, deletions, and modifications are completed accurately by authorized personnel. | Fictitious or duplicate vendors may be created. Inefficient use of resources may be caused by duplicate vendors. | Vendor master data files are maintained for accuracy and completeness by authorized users. Where applicable the Minority/Women Business Enterprise Department ("MWBE") indicator has been set. |
| B1-3.1.2 | B - Procurement | B1 - Purchasing | The vendor master file reflects vendors that have been approved to do business with the County. Vendor master file additions, deletions, and modifications are completed accurately by authorized personnel. | Fictitious or duplicate vendors may be created. Inefficient use of resources may be caused by duplicate vendors. | There is a warning / blocking mechanism in place to prevent duplicate vendor information. A review and clean-up of the vendor master file for duplicate vendors and inactive vendors is performed in accordance with County policy. |
| B1-3.1.3 | B - Procurement | B1 - Purchasing | The vendor master file reflects vendors that have been approved to do business with the County. Vendor master file additions, deletions, and modifications are completed accurately by authorized personnel. | Fictitious or duplicate vendors may be created. Inefficient use of resources may be caused by duplicate vendors. | Vendors / Suppliers are only set up within Purchasing Systems if a valid IRS Tax Identification Number (TIN) and/or Social Security (SSN) exists (via a verified W-9 form) prior to set up. |
| B1-4.1.1 | B - Procurement | B1 - Purchasing | Procurement systems and records are appropriately safeguarded. | Financial loss or unauthorized changes may go undetected. | Access to procurement systems and vendor master data is appropriately restricted and is reviewed at least annually by management. Key areas such as: vendor set-up, access to update address and access to update routing info, etc. are thoroughly reviewed. |
| B1-5.1.1 | B - Procurement | B1 - Purchasing | Adequate segregation of duties exists among the authorization, custody of assets, recording of transactions and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| B1-6.1.1 | B - Procurement | B1 - Purchasing | All goods and services are obtained using the most appropriate procurement strategy that includes, e.g. consideration of supplier financial risk, total procurement and life cycle costs (cost is not limited to price) and vendor performance. | Use of an inappropriate procurement strategy to acquire goods or services may expose the County to financial losses or result in lost opportunities to leverage volume purchases, obtain favorable agreements, and receive other benefits for the County. | Vendors are selected according to the most appropriate procurement strategy. This may include leveraging the County's large volume of purchases. |
| B1-6.1.2 | B - Procurement | B1 - Purchasing | All goods and services are obtained using the most appropriate procurement strategy that includes, e.g. consideration of supplier financial risk, total procurement and life cycle costs (cost is not limited to price) and vendor performance. | Use of an inappropriate procurement strategy to acquire goods or services may expose the County to financial losses or result in lost opportunities to leverage volume purchases, obtain favorable agreements, and receive other benefits for the County. | Minority and Women's Business Enterprise (MWBE) guidance and regulations are followed and documented. https://www.guilfordcountync.gov/our-county/mwbe/mwbe-administrative-manual |
| B1-6.1.3 | B - Procurement | B1 - Purchasing | All goods and services are obtained using the most appropriate procurement strategy that includes, e.g. consideration of supplier financial risk, total procurement and life cycle costs (cost is not limited to price) and vendor performance. | Use of an inappropriate procurement strategy to acquire goods or services may expose the County to financial losses or result in lost opportunities to leverage volume purchases, obtain favorable agreements, and receive other benefits for the County. | Appropriate metrics are established and used to properly monitor vendor performance (i.e., actual performance meets quality, cost, and service expectations). |
| B1-6.1.4 | B - Procurement | B1 - Purchasing | All goods and services are obtained using the most appropriate procurement strategy that includes, e.g. consideration of supplier financial risk, total procurement and life cycle costs (cost is not limited to price) and vendor performance. | Use of an inappropriate procurement strategy to acquire goods or services may expose the County to financial losses or result in lost opportunities to leverage volume purchases, obtain favorable agreements, and receive other benefits for the County. | Sole sources of supply are avoided whenever possible to reduce dependence on one supplier. If sole sources of supply are used for essential materials or services, operational management is notified. Justification for sole source of supply and evidence of notification are documented and maintained. |
| B1-6.1.5 | B - Procurement | B1 - Purchasing | All goods and services are obtained using the most appropriate procurement strategy that includes, e.g. consideration of supplier financial risk, total procurement and life cycle costs (cost is not limited to price) and vendor performance. | Use of an inappropriate procurement strategy to acquire goods or services may expose the County to financial losses or result in lost opportunities to leverage volume purchases, obtain favorable agreements, and receive other benefits for the County. | The MOST appropriate procurement method is used, e.g., P-Card, PO, contract). Exceptions are preapproved by Finance-Purchasing. |
| B1-7.1.1 | B - Procurement | B1 - Purchasing | Procurement cards and self-approved purchases are in compliance with County policy including proper documentation, approval and accounting. | Individuals may be reimbursed for illegitimate expenses and/or expenses may not be reflected properly in the Financial Statements. | Procurement cards (P-Cards) are granted by an authorized individual based on County business need. |
| B1-7.1.2 | B - Procurement | B1 - Purchasing | Procurement cards and self-approved purchases are in compliance with County policy including proper documentation, approval and accounting. | Individuals may be reimbursed for illegitimate expenses and/or expenses may not be reflected properly in the Financial Statements. | Procurement cards are used in accordance with County policy and supporting documentation is maintained by the cardholder to support the purchase. |
| B1-7.1.3 | B - Procurement | B1 - Purchasing | Procurement cards and self-approved purchases are in compliance with County policy including proper documentation, approval and accounting. | Individuals may be reimbursed for illegitimate expenses and/or expenses may not be reflected properly in the Financial Statements. | Procurement charges are reviewed and approved after the fact by line supervisors. |
| B1-7.1.4 | B - Procurement | B1 - Purchasing | Procurement cards and self-approved purchases are in compliance with County policy including proper documentation, approval and accounting. | Individuals may be reimbursed for illegitimate expenses and/or expenses may not be reflected properly in the Financial Statements. | Self-approved purchases are monitored by the employee's functional supervision to ensure the expense was reasonable and a valid County expense. |
| B1-7.1.5 | B - Procurement | B1 - Purchasing | Procurement cards and self-approved purchases are in compliance with County policy including proper documentation, approval and accounting. | Individuals may be reimbursed for illegitimate expenses and/or expenses may not be reflected properly in the Financial Statements. | Procurement Card transaction limits are established per transaction and per month on individual procurement cards. |
| B1-7.2.1 | B - Procurement | B1 - Purchasing | Procurement cards and self-approved purchases are in compliance with County policy including proper documentation, approval and accounting. | Transactions may become stale resulting in an inability to correct errors or recoup invalid charges. | Procurement Card transaction are submitted to approver timely; approvers process transactions timely. |
| B1-8.1.1 | B - Procurement | B1 - Purchasing | All purchasing instruments have been pre-audited and are marked accordingly. | Failure to comply with laws and regulations (pre-audit). | All purchase instruments (e.g., contracts and purchase orders) have been preaudited and have a stamp or certificate similar to the following. “This instrument has been preaudited in the manner required by the Local Government Budget and Fiscal Control Act” (see G.S. 159-28). |
| B1-8.1.1 | B - Procurement | B1 - Purchasing | All purchasing instruments have been pre-audited and are marked accordingly. | Failure to comply with laws and regulations (pre-audit). | See SOG blog: https://canons.sog.unc.edu/2024/01/preauditing-employment-related-agreements/ |
| B1-9.1.1 | B - Procurement | B1 - Purchasing | All purchases (expenditures) should be controlled using the budget ordinance. | Unauthorized (illegal) purchases / expenditures may be made. | Purchases (expenditures) are authorized using the budget ordinance, meaning each purchase / expenditure can be traced to a budget ordinance. |
| B1-10.1.1 | B - Procurement | B1 - Purchasing | Contracts are bid in accordance with State and County guidelines - bids are solicited, reviewed and the most responsive, responsible bidder is selected. (see G.S. 143-128 through 133) | County overpays for goods or services. Contracts are not accounted for in accordance with State requirements. | Types of monitoring and enforcement methods calculate accordingly (e.g., not to exceed, encumbrance, etc.) |
| B1-10.1.2 | B - Procurement | B1 - Purchasing | Contracts are bid in accordance with State and County guidelines - bids are solicited, reviewed and the most responsive, responsible bidder is selected. (see G.S. 143-128 through 133) | Bid fraud occurs and the most responsive, responsible bidder is not selected. | Sealed Bids are not opened until date, time and those in attendance are appropriate. |
| B1-11.1.1 | B - Procurement | B1 - Purchasing | Personal purchases are not allowed. | Personal items may be: 1) paid for with tax dollars, 2) accounted for incorrectly, or call into question sale taxes. | Accommodation purchases for employees are expressly prohibited. These include purchase of goods made for employees for their personal use from vendors at the unit’s contract price. |
| B2-1.1.1 | B - Procurement | B2 - Contract Administration | All service contracts are properly administered to ensure services are received as intended and expenditures are controlled. For contracts where financial verification is performed by a site contract administrator, conformance to contract terms is verified. | Services may be received but not reported, or reported incorrectly, resulting in unrecorded liabilities, inaccurate inventories, over/under payments, and inaccurate capitalization and/or expense. Non-conformance to contract terms (prices, quantity, delivery) may go undetected. | Contract administrators are trained and appointed for each contract and are maintained throughout the life of the contract. (This includes understanding, communicating and enabling utilization of applicable warranties, service agreements, etc. for purchase.) Where multiple departments utilize the same contract, one department is designated as the contract owner and is responsible for all internal controls surrounding the contract. |
| B2-1.1.2 | B - Procurement | B2 - Contract Administration | All service contracts are properly administered to ensure services are received as intended and expenditures are controlled. For contracts where financial verification is performed by a site contract administrator, conformance to contract terms is verified. | Services may be received but not reported, or reported incorrectly, resulting in unrecorded liabilities, inaccurate inventories, over/under payments, and inaccurate capitalization and/or expense. Non-conformance to contract terms (prices, quantity, delivery) may go undetected. | Receipt of service verification is performed in accordance with County policy. |
| B2-1.1.3 | B - Procurement | B2 - Contract Administration | All service contracts are properly administered to ensure services are received as intended and expenditures are controlled. For contracts where financial verification is performed by a site contract administrator, conformance to contract terms is verified. | Services may be received but not reported, or reported incorrectly, resulting in unrecorded liabilities, inaccurate inventories, over/under payments, and inaccurate capitalization and/or expense. Non-conformance to contract terms (prices, quantity, delivery) may go undetected. | Any alterations to executed agreements (including releases and requisitions) are processed in accordance with County policy. |
| B2-1.1.4 | B - Procurement | B2 - Contract Administration | All service contracts are properly administered to ensure services are received as intended and expenditures are controlled. For contracts where financial verification is performed by a site contract administrator, conformance to contract terms is verified. | Services may be received but not reported, or reported incorrectly, resulting in unrecorded liabilities, inaccurate inventories, over/under payments, and inaccurate capitalization and/or expense. Non-conformance to contract terms (prices, quantity, delivery) may go undetected. | When financial verification (match price billed to the current contract terms) and receipt of service are performed by the contract administrator, the contract administrator specifies that they have confirmed price and receipt of service when approving / authorizing the invoice for payment. |
| B2-3.1.1 | B - Procurement | B2 - Contract Administration | All purchases have been authorized by appropriation. | Unauthorized purchases may be made. | At the time of the contract or purchase order, Finance ensures there is an appropriation authorizing the obligation in the budget ordinance. |
| B2-4.1.1 | B - Procurement | B2 - Contract Administration | All purchases have a sufficient unencumbered balance. | Sufficient funds to pay for purchases may not exist; purchases cannot be paid for. Failure to comply with NC State encumbrance / encumbrance check requirement. | At the time of the contract or purchase order, Finance ensures there is a sufficient unencumbered balance for the obligation created by the contract. See J2-5.1.3. |
| B2-5.1.1 | B - Procurement | B2 - Contract Administration | Adequate segregation of duties exists among the authorization, custody of assets, recording of transactions and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| B3-1.1.1 | B - Procurement | B3 - Receiving | Appropriate receiving documentation is maintained or monitored to facilitate verification of vendor invoice accuracy. | Items may be received but not reported, or reported inaccurately, resulting in unrecorded liabilities, inaccurate inventories, and over/under/late payments. | Upon receipt of a product, appropriate receiving documentation is prepared and maintained and appropriate information is entered into payment systems timely. |
| B3-1.1.2 | B - Procurement | B3 - Receiving | Appropriate receiving documentation is maintained or monitored to facilitate verification of vendor invoice accuracy. | Items may be received but not reported, or reported inaccurately, resulting in unrecorded liabilities, inaccurate inventories, and over/under/late payments. | Receiving notifications via third party electronic data interchange (when Supplier books receipt directly into County system) are monitored in accordance with County policy to ensure accurate and complete entries in the appropriate systems. |
| B3-1.1.3 | B - Procurement | B3 - Receiving | Appropriate receiving documentation is maintained or monitored to facilitate verification of vendor invoice accuracy. | Items may be received but not reported, or reported inaccurately, resulting in unrecorded liabilities, inaccurate inventories, and over/under/late payments. | Appropriate procedures are in place to ensure that differences detected by the receiving personnel above established tolerances are investigated and actioned in a timely manner. Materials are promptly inspected to ensure the items are proper, meet product specifications, are not damaged and are appropriately physically delivered to the designated person or area (usually the requisitioner). |
| B3-1.1.4 | B - Procurement | B3 - Receiving | Appropriate receiving documentation is maintained or monitored to facilitate verification of vendor invoice accuracy. | Items may be received but not reported, or reported inaccurately, resulting in unrecorded liabilities, inaccurate inventories, and over/under/late payments. | Claims to vendors or carriers are made when cost-justified so that related credits are promptly received for returned materials. |
| B3-1.2.1 | B - Procurement | B3 - Receiving | Appropriate receiving documentation is maintained or monitored to facilitate verification of vendor invoice accuracy. | Vendor disputes or litigation may arise due to improper documentation of receipt of goods or services. | Where bulk raw material is received (e.g., truck, tank, rail car, barge, or pipeline), quantities are adequately verified and accounted for in a timely manner. Any difference with a carrier bill of lading in excess of predefined and approved tolerance limits is promptly investigated and corrected. |
| B3-1.2.2 | B - Procurement | B3 - Receiving | Appropriate receiving documentation is maintained or monitored to facilitate verification of vendor invoice accuracy. | Vendor disputes or litigation may arise due to improper documentation of receipt of goods or services. | Material received on the basis of concentration or percentage is analyzed. |
| B3-1.2.3 | B - Procurement | B3 - Receiving | Appropriate receiving documentation is maintained or monitored to facilitate verification of vendor invoice accuracy. | Vendor disputes or litigation may arise due to improper documentation of receipt of goods or services. | Accuracy of meters, gauges, scales, etc. used to validate receipt of materials is verified annually at a minimum. Verification results are kept on file. |
| B3-2.1.1 | B - Procurement | B3 - Receiving | Returned goods are sent back to the vendor in a timely manner; credits are sought if payment has been made. Proper approval, recording, and follow-up of returned items is made. | Credit is not received for returned goods. Goods to be returned are processed and returned. | Returned goods are sent back to the vendor in a timely manner; credits are sought if payment has been made. Proper approval, recording, and follow-up of returned items is made. |
| B3-3.1.1 | B - Procurement | B3 - Receiving | Receiving systems and records are appropriately safeguarded. | Financial loss or unauthorized changes may go undetected. | Access to receiving transactions is appropriately restricted and is reviewed by management at least annually. |
| B3-3.1.2 | B - Procurement | B3 - Receiving | Receiving systems and records are appropriately safeguarded. | Financial loss or unauthorized changes may go undetected. | Physical access to the receiving area (e.g. stores, warehouses, docks and tables) is restricted. |
| B3-3.1.3 | B - Procurement | B3 - Receiving | Receiving systems and records are appropriately safeguarded. | Financial loss or unauthorized changes may go undetected. | Incoming goods are secured and safeguarded during the receiving process, particularly in the case of valuable goods. |
| B3-4.1.1 | B - Procurement | B3 - Receiving | Adequate segregation of duties exists among the authorization, custody of assets, recording of transactions and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| B4-1.1.1 | B - Procurement | B4 - Payment Verification | If an invoice is submitted, it is verified for accuracy and completeness. | Invoices may be paid incorrectly. | Invoices are financially verified in accordance with County policy on invoice verification. Invoice information (e.g., item / service, quantity, cost, terms, etc.) are compared to the purchase instrument (purchase order, contract, etc.). The approver signs and dates (or otherwise) approves the invoice for payment. |
| B4-1.1.2 | B - Procurement | B4 - Payment Verification | If an invoice is submitted, it is verified for accuracy and completeness. | Invoices may be paid incorrectly. | Determine if sales taxes are being assigned correctly. |
| B4-1.1.3 | B - Procurement | B4 - Payment Verification | If an invoice is submitted, it is verified for accuracy and completeness. | Invoices may be paid incorrectly. | Invoices are individually reviewed and approved for payment (no mass approvals nor "Rubber stamp" transactions). |
| B4-2.1.1 | B - Procurement | B4 - Payment Verification | Payments are made only for goods and or services that have been received. | Payment may be made for goods or services never received. | No advance payments are made. |
| B4-3.1.1 | B - Procurement | B4 - Payment Verification | Travel expense reports are in compliance with County policy including proper documentation, approval and accounting. | Individuals may be reimbursed for illegitimate expenses and/or expenses may not be reflected properly in the Financial Statements. | Expense reports are prepared in compliance with County's travel and entertainment policies, and are submitted and approved timely. |
| B4-4.1.1 | B - Procurement | B4 - Payment Verification | Adequate segregation of duties exists among the authorization, custody of assets, recording of transactions and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| B5-1.1.1 | B - Procurement | B5 - Disbursement | Controls are in place to ensure disbursements are properly approved, adequate supporting documentation exists and payments are recorded accurately. | Disbursements may be unauthorized, recorded for the wrong amount, recorded in the wrong period, or made for goods and services not received. | All disbursements are supported by appropriate documentation. Disbursements are properly and accurately recorded in the accounting records during the period in which the payment was made. |
| B5-1.1.2 | B - Procurement | B5 - Disbursement | Controls are in place to ensure disbursements are properly approved, adequate supporting documentation exists and payments are recorded accurately. | Disbursements may be unauthorized, recorded for the wrong amount, recorded in the wrong period, or made for goods and services not received. | Supporting documents (e.g., purchase orders, receiving reports, original invoices, etc.) are effectively cancelled after payment to prevent accidental or intentional reuse and sufficient electronic records are maintained to preclude reuse or duplicate payment. |
| B5-1.1.3 | B - Procurement | B5 - Disbursement | Controls are in place to ensure disbursements are properly approved, adequate supporting documentation exists and payments are recorded accurately. | Disbursements may be unauthorized, recorded for the wrong amount, recorded in the wrong period, or made for goods and services not received. | If a disbursement is made without a supporting purchase order, the disbursement must be properly approved in accordance with applicable authorization limits. |
| B5-1.1.4 | B - Procurement | B5 - Disbursement | Controls are in place to ensure disbursements are properly approved, adequate supporting documentation exists and payments are recorded accurately. | Disbursements may be unauthorized, recorded for the wrong amount, recorded in the wrong period, or made for goods and services not received. | Returned vendor checks are investigated and the reason for return is documented. |
| B5-1.1.5 | B - Procurement | B5 - Disbursement | Controls are in place to ensure disbursements are properly approved, adequate supporting documentation exists and payments are recorded accurately. | Disbursements may be unauthorized, recorded for the wrong amount, recorded in the wrong period, or made for goods and services not received. | Bank accounts relating to disbursement activity are reconciled to the general ledger timely. |
| B5-1.1.6 | B - Procurement | B5 - Disbursement | Controls are in place to ensure disbursements are properly approved, adequate supporting documentation exists and payments are recorded accurately. | Disbursements may be unauthorized, recorded for the wrong amount, recorded in the wrong period, or made for goods and services not received. | Stop payments required on checks or Electronic Funds Transfers (EFTs) are properly authorized and then transacted in accordance with bank instructions. |
| B5-1.1.7 | B - Procurement | B5 - Disbursement | Controls are in place to ensure disbursements are properly approved, adequate supporting documentation exists and payments are recorded accurately. | Disbursements may be unauthorized, recorded for the wrong amount, recorded in the wrong period, or made for goods and services not received. | All checks have dual signatures or the Board of Commissioners has documented acceptance of one signature. |
| B5-2.1.1 & H1-7.1.1 | B - Procurement | B5 - Disbursement | Only properly authorized personnel can generate manual payments (manual/non-system controlled or non-automated payments). | Inappropriate manual payments may be generated without authorization. | The ability to generate manual payments is restricted. |
| B5-2.1.2 & H1-7.1.2 | B - Procurement | B5 - Disbursement | Only properly authorized personnel can generate manual payments (manual/non-system controlled or non-automated payments). | Inappropriate manual payments may be generated without authorization. | Manual disbursement activity is monitored and controlled by management to ensure there is proper cost authority approval and adequate supporting documentation. |
| B5-2.1.3 & H1-7.1.3 | B - Procurement | B5 - Disbursement | Only properly authorized personnel can generate manual payments (manual/non-system controlled or non-automated payments). | Inappropriate manual payments may be generated without authorization. | Blank and printed checks and check-stock are safeguarded from destruction or unauthorized use. Signature plates, where used, are safeguarded. All checks are issued numerically, and accounted for on a periodic basis. |
| B5-3.1.1 | B - Procurement | B5 - Disbursement | Accounts payable balances are accurate and complete. | Financial statements, records, and operating reports may be inaccurate. Critical decisions may be based upon erroneous information. | The Accounts Payable subsidiary data balances and all supporting records are reconciled to the general ledger. |
| B5-4.1.1 | B - Procurement | B5 - Disbursement | Disbursements (e.g. checks, wire transfers, electronic funds transfers, etc.) are properly approved by appropriate individuals and adequately safeguarded. | Improper verification of account transfers may lead to misappropriation of County funds, duplicate transfers, or transfers to the wrong bank | Electronic disbursement (wire or electronic funds transfer) totals are compared with approved payment totals prior to the release of funds. |
| B5-4.1.2 | B - Procurement | B5 - Disbursement | Disbursements (e.g. checks, wire transfers, electronic funds transfers, etc.) are properly approved by appropriate individuals and adequately safeguarded. | Improper verification of account transfers may lead to misappropriation of County funds, duplicate transfers, or transfers to the wrong bank | Access to perform payment processing is restricted (electronic system and physical). |
| B5-5.1.1 | B - Procurement | B5 - Disbursement | Disbursements (e.g. checks, wire transfers, electronic funds transfers, etc.) are properly approved by appropriate individuals and adequately safeguarded. | Checks or signature plates may be misused to the detriment of the County. | Checks are not: 1) made payable to cash or bearer, and 2) signed or approved in blank (approved before vendor / carrier information, dollar amount, date, etc. is filled in). Spoiled, voided, and cancelled checks have the signature portion removed and destroyed, are filed, accounted for, and protected. |
| B5-5.1.2 | B - Procurement | B5 - Disbursement | Disbursements (e.g. checks, wire transfers, electronic funds transfers, etc.) are properly approved by appropriate individuals and adequately safeguarded. | Checks or signature plates may be misused to the detriment of the County. | All preprinted checks are pre-numbered, or automatically numbered as the system generates them, issued numerically, and accounted for on a periodic basis. |
| B5-5.1.3 | B - Procurement | B5 - Disbursement | Disbursements (e.g. checks, wire transfers, electronic funds transfers, etc.) are properly approved by appropriate individuals and adequately safeguarded. | Checks or signature plates may be misused to the detriment of the County. | Blank and printed checks / check-stock are safeguarded from destruction or unauthorized use. Signature plates, where used, are safeguarded. All checks are issued numerically, and accounted for on a periodic basis. |
| B5-6.1.1 | B - Procurement | B5 - Disbursement | Disbursement systems and records are appropriately safeguarded. | Loss or unauthorized changes may not be detected. | Access to disbursement systems is appropriately restricted and is reviewed by management at least annually. |
| B5-7.1.1 | B - Procurement | B5 - Disbursement | Adequate segregation of duties exists among the authorization, custody of assets, recording of transactions and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| C1-1.1.1 | C - Customer Service | C1 - Customer Service Improvement | Processes are periodically reviewed for improvement and standardization opportunities. | Processes are performed inefficiently or ineffectively, resulting in excessive costs (e.g., rework) and customer complaints. | Processes and techniques to improve productivity are evaluated for implementation and are standardized to the extent practicable. |
| C1-1.1.2 | C - Customer Service | C1 - Customer Service Improvement | Processes are periodically reviewed for improvement and standardization opportunities. | Processes are performed inefficiently or ineffectively, resulting in excessive costs (e.g., rework) and customer complaints. | Quality assurance procedures are integrated into the process. Quality checks are performed to ensure compliance with quality control standards set by the department or area. |
| C1-2.1.1 | C - Customer Service | C1 - Customer Service Improvement | Customer service metrics are established and monitored by management. | Production may be performed inefficiently or ineffectively, resulting in excessive costs and customer complaints. | Customer service (performance) metrics are monitored and reviewed by management. |
| C1-2.1.2 | C - Customer Service | C1 - Customer Service Improvement | Customer service metrics are established and monitored by management. | Quality problems may not be discovered or appropriately reported and result in inefficiencies and/or inaccuracies. | A root cause analysis is performed of customer quality related returns and complaints. |
| D1-1.1.1 | D - Inventory Assets | D1 - All Asset Types | All assets subject to inventory requirements are identified. | County-owned Inventory may be stolen or accidentally discarded. | Management conducts a periodical physical inspection for unidentified assets. |
| D1-2.1.1 | D - Inventory Assets | D1 - All Asset Types | All inventorial items are clearly marked (as appropriate). | County-owned Inventory may be stolen or accidentally discarded. | Management conducts a periodical physical inspection of assets to ensure proper marking. |
| D1-3.1.1 | D - Inventory Assets | D1 - All Asset Types | Records of inventories are complete and accurate. | County financial statements and other management reports may be inaccurate. | Management periodically reviews lists of assets for completeness and accuracy. |
| D1-4.1.1 | D - Inventory Assets | D1 - All Asset Types | Material transfers are properly authorized. | Inappropriate materials and/or quantities may be transferred without an authorized requisition or work order. | Transfer of inventory items (location and/or ownership) are properly authorized before the transfer. Movements are recorded properly to reflect the physical location and ownership. |
| D1-5.1.1 | D - Inventory Assets | D1 - All Asset Types | Inventory changes (i.e., quantities and descriptions) are reviewed and approved. | Inventory items may be misused and/or misappropriated. | Only authorized users have the ability to change inventory values (quantities and descriptions); all additions, deletions and changes are reviewed and approved by Management. |
| D1-6.1.1 | D - Inventory Assets | D1 - All Asset Types | Inventory balances are accurate and correctly valued (physical verification of inventories and related account reconciliations are performed). | Physical inventory counts may be inaccurate, improperly recorded, or neglected; inventory records may not accurately reflect the existing inventory balances. | Accurate and complete inventories are taken at all County and non-County locations at prescribed frequencies in accordance with the County's policies (e.g., Physical Inventory Guidelines). |
| D1-6.1.2 | D - Inventory Assets | D1 - All Asset Types | Inventory balances are accurate and correctly valued (physical verification of inventories and related account reconciliations are performed). | Physical inventory counts may be inaccurate, improperly recorded, or neglected; inventory records may not accurately reflect the existing inventory balances. | Quantities determined by physical count are reconciled to the perpetual records; significant variances are fully investigated and root causes identified. |
| D1-6.1.3 | D - Inventory Assets | D1 - All Asset Types | Inventory balances are accurate and correctly valued (physical verification of inventories and related account reconciliations are performed). | Physical inventory counts may be inaccurate, improperly recorded, or neglected; inventory records may not accurately reflect the existing inventory balances. | Cycle counts are the preferred method used for inventory counts. |
| D1-6.2.1 | D - Inventory Assets | D1 - All Asset Types | Inventory balances are accurate and correctly valued (physical verification of inventories and related account reconciliations are performed). | Inventory balances could be misstated, resulting in inaccurate financial reporting. | Adjusting entries resulting from the physical inventory are properly documented, authorized, and recorded. |
| D1-7.1.1 | D - Inventory Assets | D1 - All Asset Types | Inventory is valued correctly. | The value of inventory may be misstated. | Inventories are reviewed for valuation (i.e., the inventory's value is at the lower of cost or market value). |
| D1-8.1.1 | D - Inventory Assets | D1 - All Asset Types | Theft sensitive items are identified and secured. | Theft sensitive items are misappropriated. | Theft sensitive items are identified and where needed additional security and inventory procedures are put in place. |
| D1-9.1.1 | D - Inventory Assets | D1 - All Asset Types | Adequate segregation of duties exists among the authorization, custody of assets, recording of transactions and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities, and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| D2-1.1.1 | D - Inventory Assets | D2 - Disposal / Sale of Assets | Surplus, obsolete, off-spec, and damaged inventory are identified and monitored on a regular basis and disposed of and written-off in accordance with County policy. | Failure to properly account for surplus, obsolete and damaged inventory may result in an overstatement of the inventory balance. | Surplus, obsolete and off-spec inventory are identified in a timely manner, including review of damaged or slow-moving inventory for potential obsolescence. |
| D2-1.1.2 | D - Inventory Assets | D2 - Disposal / Sale of Assets | Surplus, obsolete, off-spec, and damaged inventory are identified and monitored on a regular basis and disposed of and written-off in accordance with County policy. | Failure to properly account for surplus, obsolete and damaged inventory may result in an overstatement of the inventory balance. | Obsolete materials are written down or off in accordance with County guidelines for obsolete and discontinued inventory. Valuation of obsolete/ discontinued and off-spec materials is reviewed periodically. |
| D2-1.1.3 | D - Inventory Assets | D2 - Disposal / Sale of Assets | Surplus, obsolete, off-spec, and damaged inventory are identified and monitored on a regular basis and disposed of and written-off in accordance with County policy. | Failure to properly account for surplus, obsolete and damaged inventory may result in an overstatement of the inventory balance. | Damaged and obsolete inventory is identified and segregated when possible. |
| D2-1.1.4 | D - Inventory Assets | D2 - Disposal / Sale of Assets | Surplus, obsolete, off-spec, and damaged inventory are identified and monitored on a regular basis and disposed of and written-off in accordance with County policy. | Failure to properly account for surplus, obsolete and damaged inventory may result in an overstatement of the inventory balance. | Disposition (i.e. alternate use/markets) of damaged and obsolete materials is completed in accordance with County policy. |
| D2-2.1.1 | D - Inventory Assets | D2 - Disposal / Sale of Assets | Disposal / sale of assets are authorized. | Items may be disposed of or sold that have continued value to the County; items may be sent for disposal for the sole purpose of theft. | All asset disposals / sales and are authorized for disposal / sale per County guidelines. |
| D2-2.1.2 | D - Inventory Assets | D2 - Disposal / Sale of Assets | Disposal / sale of assets are authorized. | Items may be disposed of or sold that have continued value to the County; items may be sent for disposal for the sole purpose of theft. | All asset disposals / sales follow the same approved process (e.g., 'govdeals'). |
| D2-3.1.1 | D - Inventory Assets | D2 - Disposal / Sale of Assets | For all asset disposals / sales no favoritism is given to any potential buyer (e.g., County employee). | Value received may be less than market value. | All disposals and sales are done at arm's length, meaning all potential buyers are treated the same. Sale information is made available to all potential buyers equally. |
| D2-4.1.1 | D - Inventory Assets | D2 - Disposal / Sale of Assets | All protected County information (e.g., computer hard drives, printed lists, desk drawers) is removed from the asset prior to sale. | County information may be inadvertently disclosed and/or lost. | All assets (e.g., computer hard drives, printed lists, desk drawers) are checked for protected information before disposal or sale. |
| D2-5.1.1 | D - Inventory Assets | D2 - Disposal / Sale of Assets | Disposal items clearly indicate the County accepts no liability for the use or further disposal of the item. | The County may be liable for damages or further disposal expenses. | Legal disclaimers accompany all asset disposals and sales. |
| D3-1.1.1 | D - Inventory Assets | D3 - Consumable / Small Dollar Assets | Inventory plans reflect business strategies; inventory and related holding costs are minimized in conjunction with meeting supply, customer service and logistics requirements. | Unplanned inventories may tie up working capital and cause increased storage costs and/or obsolescence. | Inventory amounts and order points are periodically reviewed; unplanned inventories are closely monitored to avoid or minimize their impact. |
| D3-2.1.1 | D - Inventory Assets | D3 - Consumable / Small Dollar Assets | Inventory storage locations are secure and optimized for availability, cost and risk. | Inventory may not be stored in a secure location which maximizes availability, minimizes costs and minimizes inventory risk. | Inventory layout and storage locations are analyzed and reviewed to ensure they are optimized for availability, cost and risk. |
| D3-2.1.2 | D - Inventory Assets | D3 - Consumable / Small Dollar Assets | Inventory storage locations are secure and optimized for availability, cost and risk. | Inventory may not be stored in a secure location which maximizes availability, minimizes costs and minimizes inventory risk. | Consignment inventory is accounted for and stored in accordance with the consignment agreement. |
| D3-2.1.3 | D - Inventory Assets | D3 - Consumable / Small Dollar Assets | Inventory storage locations are secure and optimized for availability, cost and risk. | Inventory may not be stored in a secure location which maximizes availability, minimizes costs and minimizes inventory risk. | Storeroom inventory is adequately secured, with consideration given to the risk of loss particular to the asset being protected (e.g., theft-sensitive items such as electronics). |
| D3-3.1.1 | D - Inventory Assets | D3 - Consumable / Small Dollar Assets | Inventory systems and records are appropriately safeguarded. | Loss or unauthorized changes may go undetected. | Access to inventory control systems (and/or logs) is appropriately restricted and is reviewed at least annually by management. |
| D3-4.1.1 | D - Inventory Assets | D3 - Consumable / Small Dollar Assets | Inventory is valued correctly. | The value of inventory may be misstated. | All perpetual inventory balances reconcile and support the financial records. |
| E1-1.1.1 | E - Fixed Assets | E1 - Assets Under Construction and Project Accounting | Capital expenditure proposals are prepared, documented, evaluated, authorized and maintained in accordance with County policy and consistent with business objectives. | Capital expenditures may not be properly authorized and result in cash outflows that are not necessary or in line with the strategic plan of the business. | All elements of capital expenditure proposals are documented in accordance with County policy governing capital authorization and are based on relevant and reasonably reliable information. MWBE efforts are documented. |
| E1-1.1.2 | E - Fixed Assets | E1 - Assets Under Construction and Project Accounting | Capital expenditure proposals are prepared, documented, evaluated, authorized and maintained in accordance with County policy and consistent with business objectives. | Capital expenditures may not be properly authorized and result in cash outflows that are not necessary or in line with the strategic plan of the business. | Capital expenditure proposals are reviewed and properly authorized prior to the commencement of any work and are assigned a unique identification number. |
| E1-1.1.3 | E - Fixed Assets | E1 - Assets Under Construction and Project Accounting | Capital expenditure proposals are prepared, documented, evaluated, authorized and maintained in accordance with County policy and consistent with business objectives. | Capital expenditures may not be properly authorized and result in cash outflows that are not necessary or in line with the strategic plan of the business. | Supplemental authorizations are obtained in accordance with County policy when costs are expected to exceed original authorized project/work order amounts. |
| E1-2.1.1 | E - Fixed Assets | E1 - Assets Under Construction and Project Accounting | Capital expenditures are properly documented and classified, correctly recorded and accumulated in sufficient detail, including segregation between cost and capital, in accordance with acceptable accounting principles, applicable tax laws and County policy. | Project costs may not be recorded correctly, which may lead to disallowance of claimed expenses, misstated County assets and depreciation expense, and distorted financial analysis. | Costs incurred are recorded in the appropriate project / work order / account. |
| E1-2.1.2 | E - Fixed Assets | E1 - Assets Under Construction and Project Accounting | Capital expenditures are properly documented and classified, correctly recorded and accumulated in sufficient detail, including segregation between cost and capital, in accordance with acceptable accounting principles, applicable tax laws and County policy. | Project costs may not be recorded correctly, which may lead to disallowance of claimed expenses, misstated County assets and depreciation expense, and distorted financial analysis. | Costs in support of capital decisions are reviewed and accounted for in accordance with County policy on capitalization vs. expense. |
| E1-2.1.3 | E - Fixed Assets | E1 - Assets Under Construction and Project Accounting | Capital expenditures are properly documented and classified, correctly recorded and accumulated in sufficient detail, including segregation between cost and capital, in accordance with acceptable accounting principles, applicable tax laws and County policy. | Project costs may not be recorded correctly, which may lead to disallowance of claimed expenses, misstated County assets and depreciation expense, and distorted financial analysis. | Leases are reviewed to distinguish between capital and operating leases (see also GASBs 87 & 96). |
| E1-2.1.4 | E - Fixed Assets | E1 - Assets Under Construction and Project Accounting | Capital expenditures are properly documented and classified, correctly recorded and accumulated in sufficient detail, including segregation between cost and capital, in accordance with acceptable accounting principles, applicable tax laws and County policy. | Project costs may not be recorded correctly, which may lead to disallowance of claimed expenses, misstated County assets and depreciation expense, and distorted financial analysis. | Project cost reports are compared to authorized budgets and any significant variations are appropriately followed up. |
| E1-2.1.5 | E - Fixed Assets | E1 - Assets Under Construction and Project Accounting | Capital expenditures are properly documented and classified, correctly recorded and accumulated in sufficient detail, including segregation between cost and capital, in accordance with acceptable accounting principles, applicable tax laws and County policy. | Project costs may not be recorded correctly, which may lead to disallowance of claimed expenses, misstated County assets and depreciation expense, and distorted financial analysis. | Open construction detail records support balances reflected in the general ledger. |
| E1-2.1.6 | E - Fixed Assets | E1 - Assets Under Construction and Project Accounting | Capital expenditures are properly documented and classified, correctly recorded and accumulated in sufficient detail, including segregation between cost and capital, in accordance with acceptable accounting principles, applicable tax laws and County policy. | Project costs may not be recorded correctly, which may lead to disallowance of claimed expenses, misstated County assets and depreciation expense, and distorted financial analysis. | Closing report detail to be capitalized for each project is appropriately reviewed and recorded. |
| E1-2.2.1 | E - Fixed Assets | E1 - Assets Under Construction and Project Accounting | Capital expenditures are properly documented and classified, correctly recorded and accumulated in sufficient detail, including segregation between cost and capital, in accordance with acceptable accounting principles, applicable tax laws and County policy. | Capitalized interest may not be accounted for in accordance with County policy. | Projects qualifying for capitalized interest are accurately identified to ensure capitalized interest is correctly recorded. |
| E1-2.2.2 | E - Fixed Assets | E1 - Assets Under Construction and Project Accounting | Capital expenditures are properly documented and classified, correctly recorded and accumulated in sufficient detail, including segregation between cost and capital, in accordance with acceptable accounting principles, applicable tax laws and County policy. | Capitalized interest may not be accounted for in accordance with County policy. | Capitalized interest is reviewed at least annually for reasonableness. |
| E1-3.1.1 | E - Fixed Assets | E1 - Assets Under Construction and Project Accounting | Assets ready for use are capitalized in a timely manner. | Depreciation may not be calculated on ready-for-use assets. | Open construction projects / work orders / accounts are reviewed to ensure timely capitalization of ready-for-use assets. |
| E1-3.1.2 | E - Fixed Assets | E1 - Assets Under Construction and Project Accounting | Assets ready for use are capitalized in a timely manner. | Depreciation may not be calculated on ready-for-use assets. | Inactive or abandoned projects / work orders / accounts are monitored and properly closed. |
| E1-4.1.1 | E - Fixed Assets | E1 - Assets Under Construction and Project Accounting | Construction project system and records are appropriately safeguarded. | Loss or unauthorized changes could go undetected. | Access to construction project systems and records is appropriately restricted and is reviewed at least annually by management. |
| E1-5.1.1 | E - Fixed Assets | E1 - Assets Under Construction and Project Accounting | Adequate segregation of duties exists among the authorization, custody of assets, recording of transactions and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities, and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| E2-1.1.1 | E - Fixed Assets | E2 - Fixed Asset Accounting | Fixed assets are classified and recorded in accordance with acceptable accounting principles and applicable tax laws. | Fixed assets may not be properly reflected and may result in inaccurate financial reporting. | New assets, including those acquired through a business or technology acquisition, and those acquired by capital lease, are entered into the fixed asset accounting system according to County policy, GAAP/GAS and tax laws to ensure proper set-up such as useful life, dollar threshold and asset classification. |
| E2-1.1.2 | E - Fixed Assets | E2 - Fixed Asset Accounting | Fixed assets are classified and recorded in accordance with acceptable accounting principles and applicable tax laws. | Fixed assets may not be properly reflected and may result in inaccurate financial reporting. | Fixed asset transactions, including replacing, acquiring, constructing, retiring, etc. are approved by appropriate levels of management. |
| E2-1.1.3 | E - Fixed Assets | E2 - Fixed Asset Accounting | Fixed assets are classified and recorded in accordance with acceptable accounting principles and applicable tax laws. | Fixed assets may not be properly reflected and may result in inaccurate financial reporting. | All fixed asset transactions are recorded accurately and in a timely manner, including ensuring all transactions requested were processed. |
| E2-1.1.4 | E - Fixed Assets | E2 - Fixed Asset Accounting | Fixed assets are classified and recorded in accordance with acceptable accounting principles and applicable tax laws. | Fixed assets may not be properly reflected and may result in inaccurate financial reporting. | Management reviews and evaluates depreciation methods, asset classifications, and useful lives as necessary (e.g. changes in business plans, market conditions, etc.). |
| E2-2.1.1 | E - Fixed Assets | E2 - Fixed Asset Accounting | All long-lived assets are verified for existence and properly valued. | Fair value declines may not be properly identified, valued, and recorded. | Property, Plant & Equipment are reviewed / tested for impairment per the applicable accounting rules and guidelines for each asset category. |
| E2-3.1.1 | E - Fixed Assets | E2 - Fixed Asset Accounting | Fixed assets are properly depreciated in accordance with County policy and acceptable accounting principles. | Depreciation expense may not be recorded on related asset(s) or may be recorded/calculated incorrectly. | The fixed asset accounting system is configured to calculate depreciation on assets correctly and configuration is reviewed. |
| E2-3.1.2 | E - Fixed Assets | E2 - Fixed Asset Accounting | Fixed assets are properly depreciated in accordance with County policy and acceptable accounting principles. | Depreciation expense may not be recorded on related asset(s) or may be recorded/calculated incorrectly. | Depreciation expense is reviewed for reasonableness versus prior period and budget at least annually. |
| E2-4.1.1 | E - Fixed Assets | E2 - Fixed Asset Accounting | Fixed asset detail accounting records accurately reflect the County's investment fixed assets. | Fixed asset detail accounting records may not accurately reflect the County's investment in PP&E. | Fixed asset subsidiary data balances and all supporting schedules are balanced to the general ledger. |
| E2-5.1.1 | E - Fixed Assets | E2 - Fixed Asset Accounting | Fixed asset accounting systems and records are appropriately safeguarded. | Loss or unauthorized changes may go undetected. | Access to fixed asset accounting systems and records is appropriately restricted and is reviewed at least annually by management . |
| E2-6.1.1 | E - Fixed Assets | E2 - Fixed Asset Accounting | Adequate segregation of duties exists among the authorization, custody of assets, recording of transactions and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities, and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| E3-1.1.1 | E - Fixed Assets | E3 - Fixed Asset Movements and Disposals | The County's fixed asset records reflect actual assets in use. | Retired, sold, transferred, or reclassified fixed assets may not be properly reflected, resulting in inaccurate financial reporting. | Asset utilization is reviewed at least annually. |
| E3-1.1.2 | E - Fixed Assets | E3 - Fixed Asset Movements and Disposals | The County's fixed asset records reflect actual assets in use. | Retired, sold, transferred, or reclassified fixed assets may not be properly reflected and status of idle assets may not be properly categorized between temporary and permanent classification, resulting in inaccurate financial reporting. | Fixed asset disposal and transfer authorization forms are approved and provided to the appropriate individual. |
| E3-1.1.3 | E - Fixed Assets | E3 - Fixed Asset Movements and Disposals | The County's fixed asset records reflect actual assets in use. | Retired, sold, transferred, or reclassified fixed assets may not be properly reflected and status of idle assets may not be properly categorized between temporary and permanent classification, resulting in inaccurate financial reporting. | Assets, for which no use within the County is foreseen, are promptly dismantled, sold or otherwise disposed of or classified as non-operating or abandoned in place, after obtaining management approval. |
| E3-2.1.1 | E - Fixed Assets | E3 - Fixed Asset Movements and Disposals | The total cost of all County assets, which are replaced and/or physically removed from service, are properly removed from the County's financial records and any remaining depreciation is expensed. | Fixed asset account balances could be misstated resulting in inaccurate financial reporting. | Existing assets are written off accurately and timely if they are deemed to be non-operating or abandoned in place, replaced, removed or disposed of and with management approval. |
| E3-3.1.1 | E - Fixed Assets | E3 - Fixed Asset Movements and Disposals | Surplus property sales are conducted in accordance with State laws (see G.S. 153A-176). | Surplus property sales are not conducted in accordance to State laws. Surplus property sale value is not maximized. | All sales of surplus property are conducted in accordance with G.S. 153A-176. |
| E4-1.1.1 | E - Fixed Assets | E4 - Physical Verification | A process for physical verification of assets is established and monitored in accordance with County policy to ensure fixed asset records are complete and accurate. | The detailed fixed asset system records may not accurately reflect the existing physical assets. | A physical verification of assets is performed in accordance with County policy. |
| E4-1.1.2 | E - Fixed Assets | E4 - Physical Verification | A process for physical verification of assets is established and monitored in accordance with County policy to ensure fixed asset records are complete and accurate. | The detailed fixed asset system records may not accurately reflect the existing physical assets. | Reconciliation is performed comparing results of physical verification to the fixed asset accounting system records; resulting financial adjusting entries are properly authorized and recorded in a timely manner in accordance with County policy. |
| E4-2.1.1 | E - Fixed Assets | E4 - Physical Verification | Adequate segregation of duties exists among the authorization, custody of assets, recording of transactions and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities, and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| F1-1.1.1 | F - Human Resources, Compensation & Benefits | F1 - Personnel Access and Confidentiality | Confidentiality of human resource information is maintained. | Confidential employee and/or applicant information may be disclosed, possibly resulting in violation of employment laws, potential litigation and other possible liabilities. | Access to employee and applicant records is restricted to authorized individuals; access is reviewed at least annually. |
| F1-1.1.2 | F - Human Resources, Compensation & Benefits | F1 - Personnel Access and Confidentiality | Confidentiality of human resource information is maintained. | Confidential employee and/or applicant information may be disclosed, possibly resulting in violation of employment laws, potential litigation and other possible liabilities. | The frequency with which authorized personnel access human resource records is monitored. |
| F1-1.2.1 | F - Human Resources, Compensation & Benefits | F1 - Personnel Access and Confidentiality | Confidentiality of human resource information is maintained. | Employee records are not maintained per State requirements and vital employee information is discarded and no longer available. | All employee records are maintained in accordance with State record retention requirements. |
| F1-2.1.1 | F - Human Resources, Compensation & Benefits | F1 - Personnel Access and Confidentiality | Adequate segregation of duties exists among the authorization, custody of assets, recording of transactions, and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities, and/or improper or undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| F2-1.1.1 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | Each employee and applicant data record is unique. | Employees and applicants may have the same name, which may result in personnel master data changes being made to the wrong file or confidential information being inadvertently disclosed. | Unique identification numbers are assigned to each applicant and/or employee. |
| F2-2.1.1 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | Job applicants are suited to the position. | Over or under qualified candidates may be hired. | Adequate job descriptions and hiring criteria are maintained and candidates' qualifications are compared with the job requirements. |
| F2-2.1.2 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | Job applicants are suited to the position. | Over or under qualified candidates may be hired. | Uniform criteria should be used when classifying jobs and assigning titles. |
| F2-2.1.3 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | Job applicants are suited to the position. | Over or under qualified candidates may be hired. | Background checks and other means are used to identify and screen applicants for employment. |
| F2-2.2.1 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | Job applicants are suited to the position. | Lack of appropriate consideration of internal candidates may not allow for development of existing employees. | Postings for internal and external job positions are approved in accordance with County policy. |
| F2-2.3.1 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | Job applicants are suited to the position. | Employees previously terminated for ethical violations, poor performance, or other disciplinary actions may be re-hired. | Personnel files are reviewed prior to rehiring a former employee to ensure that prior work record warrants consideration of the employee for the position. |
| F2-3.1.1 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | Employees receive key work related information. | New employees do not receive sufficient / consistent information on key work related information. | When the employee commences employment, he/she is supplied with the following particulars in writing: - employer's full name and address; - the name and occupation of the employee, or a brief description of the work for which the employee is employed; - the place of work, and, where the employee is required or permitted to work at various places; - the date on which the employment began; - the employee's ordinary hours of work and days of work; - the employee's wage or the rate and method of calculating wages; - the rate of pay for overtime work; - any other cash payments that the employee is entitled to; - any payment in kind that the employee is entitled to and the value of the payment in kind; - how frequently remuneration will be paid; - any deductions to be made from the employee's remuneration; - the leave to which the employee is entitled; - the period of notice required to terminate employment, or if employment is for a specified period, the date when employment is to terminate; - a description of any council or sectoral determination (Wage Determination) which covers the County; - the period of notice required to terminate employment, or if employment is for a specified period, the date when employment is to terminate; - a list of any other documents that form part of the contract of employment, indicating a place that is reasonably accessible to the employee where a copy of each may be obtained. |
| F2-3.1.2 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | Employees receive key work related information. | New employees do not receive sufficient / consistent information on key work related information. | When any term or condition of employment of an employee changes, the written particulars are updated to reflect the change; employees are supplied with a copy of the document reflecting the change. |
| F2-3.1.3 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | Employees receive key work related information. | New employees do not receive sufficient / consistent information on key work related information. | When an employee is not able to understand the written particulars, the information is explained to the employee in a language and in a manner that the employee understands. |
| F2-4.1.1 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | Hiring, promotion, transfer, and termination practices adhere to County policies and comply with applicable laws and regulations. | Laws and governmental regulations may be violated, resulting in fines, penalties, lawsuits, or other liabilities. | Employment policies are reviewed annually by local legal counsel to ensure compliance with legal and regulatory requirements. Policy changes are communicated and implemented. |
| F2-4.1.2 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | Hiring, promotion, transfer, and termination practices adhere to County policies and comply with applicable laws and regulations. | Laws and governmental regulations may be violated, resulting in fines, penalties, lawsuits, or other liabilities. | Policies and guidelines for hiring, promotion, transfer, and termination are defined, documented, communicated, and adhered to. |
| F2-4.1.3 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | Hiring, promotion, transfer, and termination practices adhere to County policies and comply with applicable laws and regulations. | Laws and governmental regulations may be violated, resulting in fines, penalties, lawsuits, or other liabilities. | A mechanism is in place to ensure that managers and supervisors are aware of applicable employment laws, regulations and County policies. |
| F2-4.1.4 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | Hiring, promotion, transfer, and termination practices adhere to County policies and comply with applicable laws and regulations. | Laws and governmental regulations may be violated, resulting in fines, penalties, lawsuits, or other liabilities. | A mechanism is in place to ensure that personnel files include documentation supporting hiring, promotion, transfer, termination, benefit election, and any other documents deemed necessary by the County's legal counsel to ensure compliance with applicable employment laws. |
| F2-4.2.1 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | Hiring, promotion, transfer, and termination practices adhere to County policies and comply with applicable laws and regulations. | Records may be lost or prematurely destroyed, resulting in loss of audit trail. | Human resource records are filed and retained in accordance with laws and regulations and County policy. Management reviews and approves any files selected for destruction. |
| F2-5.1.1 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | Personnel data is properly maintained to support payroll processing, tax withholdings, and benefit elections. | Additions, pay rate changes, terminations, or other actions may not be authorized or recorded accurately. | Standard forms are used to document changes to payroll and other personnel data. |
| F2-5.1.2 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | Personnel data is properly maintained to support payroll processing, tax withholdings, and benefit elections. | Additions, pay rate changes, terminations, or other actions may not be authorized or recorded accurately. | Changes to personnel data are authorized and input correctly. Management timely reviews automated reports of changes to employee data, including pay rate changes and terminations. |
| F2-5.1.3 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | Personnel data is properly maintained to support payroll processing, tax withholdings, and benefit elections. | Additions, pay rate changes, terminations, or other actions may not be authorized or recorded accurately. | Relational validations (search on employee number, position number, name and address, etc.) are performed to prevent or timely detect duplicate entries; necessary follow up is performed. |
| F2-5.1.4 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | Personnel data is properly maintained to support payroll processing, tax withholdings, and benefit elections. | Additions, pay rate changes, terminations, or other actions may not be authorized or recorded accurately. | A mechanism is in place to ensure that all employees in personnel data files exist (no "ghost" employees). |
| F2-6.1.1 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | The reason for employee termination adheres to County policy and local law. | Terminated employees may litigate, and insufficient documentation may make it difficult for the County to defend its position. | Human Resources and local legal counsel are consulted prior to an involuntary termination. |
| F2-7.1.1 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | County policy for terminating employees is followed. | Terminated employees may not return County assets in their possession. | Line management assigns and monitors County property loaned to employees. |
| F2-7.1.2 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | County policy for terminating employees is followed. | Terminated employees may not return County assets in their possession. | Human Resources provides the employee's manager with a standard checklist that can be used to ensure that all County assets (passes, keys, computer, etc.) are collected before employee's departure. |
| F2-7.2.1 | F - Human Resources, Compensation & Benefits | F2 - Personnel and Payroll Processing | County policy for terminating employees is followed. | Employee may continue to be paid, receive benefits, or owe the County money. | Terminations are reported to HR on or before the termination date so the employee's final pay is correctly calculated and appropriately considers outstanding amounts owed to the County for loans, advances, and other liabilities. |
| F3-1.1.1 | F - Human Resources, Compensation & Benefits | F3 - Payroll Accounting | Payroll accounting configuration and payroll tables reflect the needs of the organization. | Payroll configuration may not be consistent with the business needs for earnings calculations. | Systems configuration of earnings and withholdings is appropriate and adequately supports payroll processing. |
| F3-2.1.1 | F - Human Resources, Compensation & Benefits | F3 - Payroll Accounting | Compensation paid to employees and related regulatory payments are initiated, processed, recorded, and disbursed properly. | Payroll hours and rates may not be correct. | Computation of base pay is based on data in personnel files and/or approved time reports or other appropriate, approved supporting documentation. |
| F3-2.1.2 | F - Human Resources, Compensation & Benefits | F3 - Payroll Accounting | Compensation paid to employees and related regulatory payments are initiated, processed, recorded, and disbursed properly. | Payroll hours and rates may not be correct. | Non-standard or overtime hours are approved and correctly input. |
| F3-2.1.3 | F - Human Resources, Compensation & Benefits | F3 - Payroll Accounting | Compensation paid to employees and related regulatory payments are initiated, processed, recorded, and disbursed properly. | Payroll hours and rates may not be correct. | Compensatory time is only allowed per County Regulations (Reg. 43); non-standard or overtime hours are paid per County payroll policies. |
| F3-2.1.4 | F - Human Resources, Compensation & Benefits | F3 - Payroll Accounting | Compensation paid to employees and related regulatory payments are initiated, processed, recorded, and disbursed properly. | Payroll hours and rates may not be correct. | Overpayment to employees is promptly sought and returned to the County. |
| F3-2.2.1 | F - Human Resources, Compensation & Benefits | F3 - Payroll Accounting | Compensation paid to employees and related regulatory payments are initiated, processed, recorded, and disbursed properly. | Payroll, taxes, benefits, other withholdings, and related liabilities may not be calculated, disbursed, or reported accurately. | Payroll, taxes, benefits, other withholdings, and related liabilities are properly processed. |
| F3-2.3.1 | F - Human Resources, Compensation & Benefits | F3 - Payroll Accounting | Compensation paid to employees and related regulatory payments are initiated, processed, recorded, and disbursed properly. | The payroll system may encounter an error during processing, resulting in incomplete payroll. | If the payroll system encounters an exception during processing, a payroll exception report is generated. Exceptions are reviewed and resolved before the pay confirmation process begins. |
| F3-2.3.2 | F - Human Resources, Compensation & Benefits | F3 - Payroll Accounting | Compensation paid to employees and related regulatory payments are initiated, processed, recorded, and disbursed properly. | The payroll system may encounter an error during processing, resulting in incomplete payroll. | Payroll processors review the payroll for reasonableness, and perform relational checks of total compensation, tax and other withholdings to identify significant processing errors. |
| F3-2.3.3 | F - Human Resources, Compensation & Benefits | F3 - Payroll Accounting | Compensation paid to employees and related regulatory payments are initiated, processed, recorded, and disbursed properly. | The payroll system may encounter an error during processing, resulting in incomplete payroll. | Payroll expense, payroll tax, and related liabilities are posted and reviewed to ensure general ledger accounts are correct and appropriate. |
| F3-2.4.1 | F - Human Resources, Compensation & Benefits | F3 - Payroll Accounting | Compensation paid to employees and related regulatory payments are initiated, processed, recorded, and disbursed properly. | Expenses and liabilities for payroll taxes and other benefits may not be disbursed to the relevant third party on a timely basis. | Payroll related taxes are remitted to the appropriate regulatory agency within the allowable time period. |
| F3-2.4.2 | F - Human Resources, Compensation & Benefits | F3 - Payroll Accounting | Compensation paid to employees and related regulatory payments are initiated, processed, recorded, and disbursed properly. | Expenses and liabilities for payroll taxes and other benefits may not be disbursed to the relevant third party on a timely basis. | Notifications from taxing authorities are resolved in a timely manner. |
| F3-2.4.3 | F - Human Resources, Compensation & Benefits | F3 - Payroll Accounting | Compensation paid to employees and related regulatory payments are initiated, processed, recorded, and disbursed properly. | Expenses and liabilities for payroll taxes and other benefits may not be disbursed to the relevant third party on a timely basis. | Payroll deductions are remitted to third party administrators on a timely basis. |
| F3-2.5.1 | F - Human Resources, Compensation & Benefits | F3 - Payroll Accounting | Compensation paid to employees and related regulatory payments are initiated, processed, recorded, and disbursed properly. | Cash disbursements may not be correct. | All bank accounts are reconciled monthly in accordance with County policy. |
| F4-1.1.1 | F - Human Resources, Compensation & Benefits | F4 - Additional income outside of standard pay | Any additional income outside of standard pay adheres to County policy, complies with applicable laws and regulations and is administered in accordance with the plan documents. | Laws, governmental, and accounting regulations may be violated, resulting in fines, penalties, lawsuits, or other liabilities. | Any additional income outside of standard pay is reviewed annually to ensure continued compliance with applicable tax, legal, accounting, and other regulations. |
| F4-1.1.2 | F - Human Resources, Compensation & Benefits | F4 - Additional income outside of standard pay | Any additional income outside of standard pay adheres to County policy, complies with applicable laws and regulations and is administered in accordance with the plan documents. | Laws, governmental, and accounting regulations may be violated, resulting in fines, penalties, lawsuits, or other liabilities. | Any additional income outside of standard pay has design and metrics, including eligibility and target levels, and is reviewed annually and approved by the Compensation Committee. |
| F5-1.1.1 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Benefits are administered in accordance with County policy. | Eligible participants may be improperly excluded from participation and/or ineligible participants may be entered as program participants. | Appropriate eligibility rules are defined for each benefit plan. Eligibility is determined for each participant (including dependents). Lists of eligibility are communicated to the Third Party Administrators and loaded into system tables. |
| F5-1.1.2 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Benefits are administered in accordance with County policy. | Eligible participants may be improperly excluded from participation and/or ineligible participants may be entered as program participants. | A relational check is performed between benefits chosen and participant eligibility. |
| F5-1.2.1 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Benefits are administered in accordance with County policy. | Participant benefit elections may not be recorded correctly. | Changes to benefit elections are updated by employees or other authorized personnel and activity reports are generated and reviewed by Benefits management as necessary. |
| F5-1.2.2 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Benefits are administered in accordance with County policy. | Participant benefit elections may not be recorded correctly. | The system ensures logical relations between different options (e.g. only one healthcare option, etc.) and completion of all required fields. |
| F5-1.2.3 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Benefits are administered in accordance with County policy. | Participant benefit elections may not be recorded correctly. | Participants are required to complete benefit selections and default benefits are assigned to active employees who fail to self-select within a set period of time. |
| F5-1.2.4 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Benefits are administered in accordance with County policy. | Participant benefit elections may not be recorded correctly. | Confirmations of participant benefit selections are made available. |
| F5-2.1.1 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Benefits systems and records are appropriately safeguarded. | Unauthorized changes to the benefits configuration tables may go undetected. | Access to benefit configuration tables is appropriately restricted and is reviewed, at least annually, by management. |
| F5-2.1.2 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Benefits systems and records are appropriately safeguarded. | Unauthorized changes to the benefits configuration tables may go undetected. | Access to employee eligibility systems and data is appropriately restricted and is reviewed, at least annually, by management. |
| F5-2.2.1 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Benefits systems and records are appropriately safeguarded. | Unauthorized changes to Third Party Administrator benefit configuration tables may go undetected. | If applicable, the County provides changes in benefit rules to the Third Party Administrator. Acceptance testing is performed by the County before changes are implemented. |
| F5-3.1.1 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Benefit premium payments due from participants are collected. | Benefit arrears payments may not be collected from employees (current and former) resulting in additional cost to the County. | Benefit premium payments from participants who are in arrears are tracked and collected. |
| F5-4.1.1 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Data transmitted to Third Party Administrators is correct. | Third Party Administrator's data files may be incorrect. | Validation checks exist to ensure data submitted agrees to third party files. Exceptions are resolved on a timely basis. |
| F5-4.2.1 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Data transmitted to Third Party Administrators is correct. | Benefits may be paid on behalf of ineligible parties. Expenses may be paid that do not qualify under the plan. | Benefit payments are made in accordance with the terms and conditions of the plans, reviewed and approved. |
| F5-4.2.2 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Data transmitted to Third Party Administrators is correct. | Benefits may be paid on behalf of ineligible parties. Expenses may be paid that do not qualify under the plan. | Continuation of post employment benefits are verified on a regular basis for accuracy. Discontinuance of benefits dates are set and communicated to Third Party Administrators (and former employees). |
| F5-5.1.1 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Transactions with the Service Providers are accurate, in accordance with contract provisions, and restricted to appropriate individuals. | Service Provider fees paid may not be appropriate. | Fees to Service Providers for services provided are paid in accordance with contract provisions and approved by management before funds are disbursed. |
| F5-5.2.1 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Transactions with the Service Providers are accurate, in accordance with contract provisions, and restricted to appropriate individuals. | Unauthorized, inaccurate, or processing errors initiated at the Service Provider may not be detected. | Changes to participant records or deductions initiated by the Third Party Administrator are validated against County source systems and records. |
| F5-5.2.2 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Transactions with the Service Providers are accurate, in accordance with contract provisions, and restricted to appropriate individuals. | Unauthorized, inaccurate, or processing errors initiated at the Service Provider may not be detected. | Access to benefit file information is restricted to those individuals who need such information to complete their duties and is reviewed at least annually. |
| F5-6.1.1 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Benefit calculations are complete and accurate. | There may be calculation errors in accruals for employee benefits earned but not paid (vacation expense, stock compensation, pension, etc.) | System is programmed to properly compute benefits, and provide support for payroll and benefit deductions. |
| F5-6.1.2 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Benefit calculations are complete and accurate. | There may be calculation errors in accruals for employee benefits earned but not paid (vacation expense, stock compensation, pension, etc.) | Pension payments are calculated, and non-standard calculations are reviewed. |
| F5-7.1.1 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Benefit liabilities are accumulated and recorded in the appropriate general ledger account in the proper accounting period. | Benefit processing may be incomplete and/or inaccurate and processing errors may go undetected. | Annual benefit rates (excluding Pension/OPEBs) are developed and used in the recording of benefit accruals. |
| F5-7.1.2 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Benefit liabilities are accumulated and recorded in the appropriate general ledger account in the proper accounting period. | Benefit processing may be incomplete and/or inaccurate and processing errors may go undetected. | Pension, actuarial (e.g., OPEBS) rates for benefit plan accruals and related employee benefit liability accounts are periodically reviewed by management (at least annually). |
| F5-7.1.3 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Benefit liabilities are accumulated and recorded in the appropriate general ledger account in the proper accounting period. | Benefit processing may be incomplete and/or inaccurate and processing errors may go undetected. | Initial computation of benefit rates/amounts are reviewed by management to ensure that all components are considered. |
| F5-7.1.4 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Benefit liabilities are accumulated and recorded in the appropriate general ledger account in the proper accounting period. | Benefit processing may be incomplete and/or inaccurate and processing errors may go undetected. | Benefit rates/amounts are periodically reviewed and adjusted based on actual experience and other performance metrics. |
| F5-7.1.5 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Benefit liabilities are accumulated and recorded in the appropriate general ledger account in the proper accounting period. | Benefit processing may be incomplete and/or inaccurate and processing errors may go undetected. | Benefit liabilities and expenses are reviewed to ensure postings to the general ledger accounts are correct and appropriate. |
| F5-7.1.6 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Benefit liabilities are accumulated and recorded in the appropriate general ledger account in the proper accounting period. | Benefit processing may be incomplete and/or inaccurate and processing errors may go undetected. | Benefit payments calculated are reconciled to the payments made by Paying Agents, if applicable, and also reconciled to the amount funded by the County, as appropriate. |
| F5-8.1.1 | F - Human Resources, Compensation & Benefits | F5 - Benefits | Regulatory requirements related to benefit plans are complied with. | Fines and penalties may be incurred if required regulatory filings are not accurate and timely. | Management identifies filing requirements for each benefit plan and ensures that reports are prepared and filed according to regulatory agency requirements. |
| F6-1.1.1 | F - Human Resources, Compensation & Benefits | F6 - Employee Performance | Employee performance is regularly assessed; appropriate compensation adjustments are taken. | Well performing employees may seek other employment; poor performing employee behavior may go unchallenged and unchanged. | A documented code of conduct exists and includes compliance measurement and disciplinary procedures. |
| F6-1.1.2 | F - Human Resources, Compensation & Benefits | F6 - Employee Performance | Employee performance is regularly assessed; appropriate compensation adjustments are taken. | Well performing employees may seek other employment; poor performing employee behavior may go unchallenged and unchanged. | There is a mechanism in place through which employees' performances are regularly assessed against agreed upon defined goals and objectives. |
| F6-1.1.3 | F - Human Resources, Compensation & Benefits | F6 - Employee Performance | Employee performance is regularly assessed; appropriate compensation adjustments are taken. | Well performing employees may seek other employment; poor performing employee behavior may go unchallenged and unchanged. | Employees understand and acknowledge their job responsibilities and the scope of their positions. |
| F6-1.1.4 | F - Human Resources, Compensation & Benefits | F6 - Employee Performance | Employee performance is regularly assessed; appropriate compensation adjustments are taken. | Well performing employees may seek other employment; poor performing employee behavior may go unchallenged and unchanged. | Measurable goals and objectives relating to the individual roles and responsibilities are established and monitored by appropriate management. The reasons for non-achievement are identified and reviewed. |
| F6-1.1.5 | F - Human Resources, Compensation & Benefits | F6 - Employee Performance | Employee performance is regularly assessed; appropriate compensation adjustments are taken. | Well performing employees may seek other employment; poor performing employee behavior may go unchallenged and unchanged. | Employees with persistent absenteeism or serious misconduct are identified, monitored and appropriate disciplinary actions are taken. |
| F6-1.2.1 | F - Human Resources, Compensation & Benefits | F6 - Employee Performance | Employee performance is regularly assessed; appropriate compensation adjustments are taken. | Appraisals are not adequate and can lead to misunderstandings. | Management and supervisors know their roles and responsibilities relating to the appraisal program. |
| F6-2.1.1 | F - Human Resources, Compensation & Benefits | F6 - Employee Performance | Employees receive training and development. | Employees are not fully utilized to their full potential. | Training and development needs are determined and agreed upon using performance shortcomings as the basis. |
| F6-2.1.2 | F - Human Resources, Compensation & Benefits | F6 - Employee Performance | Employees receive training and development. | Employees are not fully utilized to their full potential. | Staff training and development needs are satisfactorily and cost-effectively addressed. |
| F6-3.1.1 | F - Human Resources, Compensation & Benefits | F6 - Employee Performance | The appraisal system meets relevant employment legislation. | All appraisal related decisions must be readdressed. | Relevant employment legislation is considered in designing the staff appraisal system and disciplinary procedures. Current legislation updates are adopted accordingly to ensure the compliance legislation. |
| F6-4.1.1 | F - Human Resources, Compensation & Benefits | Employees have access to an appraisal grievance process. | Legitimate employee concerns may not be adequately addressed. | There are appropriate alternative independent means through which staff communicate their problems and concerns. Employees have the right to formally escalate their grievances. | |
| F7-1.1.1 | F - Human Resources, Compensation & Benefits | F7 - Employee Ethics | Violations of the County's Business Ethics Policy are identified and investigated. | Ethics violations may not be investigated. | Allegations of ethics violations are reported to Internal Audit for investigation. |
| F7-2.1.1 | F - Human Resources, Compensation & Benefits | F7 - Employee Ethics | An employee that brings forward ethics-related concerns is held harmless, unless the concern is found to be intentionally deceiving or intentionally injurious to another employee. | An employee who brings forward a good faith concern is punished or faces retaliatory actions from other employees. | Employee confidentiality is strictly kept. Identifying information is only shared with the permission of the employee unless there is an overriding legal or safety issue. |
| G1-1.1.1 | G - Tax | G1 - Tax Administration | The administration of taxes and the provision of advice and counsel in tax matters to County leadership is performed. | Improper tax planning may fail to optimize the impact of both current and emerging tax requirements and reduce the County's overall tax revenue. | Tax planning is performed on an ongoing basis, so that emerging tax requirements or opportunities are identified. |
| G1-1.2.1 | G - Tax | G1 - Tax Administration | The administration of taxes and the provision of advice and counsel in tax matters to County leadership is performed. | New tax law and regulation changes may not be identified and reflected appropriately or timely; tax data related to current year income may be incomplete and/or inaccurate, such that material errors or misstatements are not detected. | Significant new tax law and regulation issues are identified and documented as to impact on the County. |
| G1-2.1.1 | G - Tax | G1 - Tax Administration | Tax notices are issued timely; tax receipts are received timely. | Tax notices / receipts may not be made timely, resulting in lost revenues. | Tax filing due dates and payment dates are maintained and tracked. |
| G1-3.1.1 | G - Tax | G1 - Tax Administration | Taxing is performed in accordance with current law and regulations (see G.S. 153A-149). | Taxes may not be calculated or reported based upon current tax law and regulations. | Appropriate personnel are certified and maintain those certifications. |
| G1-3.1.2 | G - Tax | G1 - Tax Administration | Taxing is performed in accordance with current law and regulations (see G.S. 153A-149). | Taxes may not be calculated or reported based upon current tax law and regulations. | Appropriate personnel are advised of significant new tax law and regulation issues. |
| G1-4.1.1 | G - Tax | G1 - Tax Administration | Property tax is properly calculated, recorded and the appropriate amount of property tax is received and remitted to the correct jurisdiction. | Property taxes may not be properly stated. | Assessment notices are reviewed to determine that the assessed tax follows statutory or regulatory guidelines. |
| G1-5.1.1 | G - Tax | G1 - Tax Administration | Tax rates used for current and future tax calculations are reasonably correct. | Tax projections do not accurately reflect probable future revenues resulting in inadequate use decisions. | Tax rates used for current and future tax calculations are reviewed for correctness. |
| G1-6.1.1 | G - Tax | G1 - Tax Administration | Tax financial systems and records are properly safeguarded. | Loss of tax data or unauthorized changes to the data, records or programs may occur and go undetected. | Access to tax financial systems and records is appropriately restricted and is reviewed at least annually by Management. |
| G1-7.1.1 | G - Tax | G1 - Tax Administration | The appropriate amount of tax is collected and recorded. | Collected tax amounts (funds) may be incorrect. | Collected tax amounts are verified against tax invoices and applied to the correct account. |
| G1-8.1.1. | G - Tax | G1 - Tax Administration | Tax refunds are appropriate in amount and properly authorized. | Tax refunds may be incorrect or processed without appropriate approval. | Tax refunds are approved by an authorized individual. |
| G1-8.1.2. | G - Tax | G1 - Tax Administration | Tax refunds are appropriate in amount and properly authorized. | Tax refunds may be incorrect or processed without appropriate approval. | Adequate tax refund follow-up procedures are in place. |
| G1-9.1.1 | G - Tax | G1 - Tax Administration | The County Tax Collector is adequately bonded. | The County may not be indemnified for acts by the Tax Collector. | The County Tax Collector is bonded by at an amount set by the board. |
| G2-1.1.1 | G - Tax | G2 - Operations | Year-over-year differences are accurately identified, understood and acted upon. | Significant differences may not be identified and could result in significant errors or changes not being discovered in a timely manner. | Differences between current year actual (quantity and amount) and the prior year accrual are identified and understood. |
| G2-2.1.1 | G - Tax | G2 - Operations | Taxes are properly calculated, recorded and remitted. | Tax payments may not be timely, accurate and/or appropriately authorized. | Payments are agreed to underlying documentation, are applied timely, and are approved appropriately. |
| G2-2.2.1 | G - Tax | G2 - Operations | Taxes are properly calculated, recorded and remitted. | Taxes may not be properly recorded. | Significant receivables (tax payments) are reviewed to verify the correct tax status and amounts; when needed follow up is made. |
| G2-3.1.1 | G - Tax | G2 - Operations | Taxes are properly calculated, recorded and received. | Taxes may not be properly recorded. | Tax rate updates (use, property, etc.) are performed on a timely basis. |
| G2-3.2.1 | G - Tax | G2 - Operations | Taxes are properly calculated, recorded and received. | Taxes revenues may not meet statutory requirements. | Tax calculations are reviewed to ensure accuracy and compliance with laws and regulations. |
| G2-4.1.1 | G - Tax | G2 - Operations | Collection of overdue / underpaid taxes is sought; penalties and interest are applied as appropriate. | Tax revenues may not be collected. | Penalties and Interest are applied as appropriate. |
| G2-4.1.2 | G - Tax | G2 - Operations | Collection of overdue / underpaid taxes is sought; penalties and interest are applied as appropriate. | Tax revenues may not be collected. | Collection of overdue / underpaid taxes is pursued. |
| G2-4.1.3 | G - Tax | G2 - Operations | Collection of overdue / underpaid taxes is sought; penalties and interest are applied as appropriate. | Tax revenues may not be collected. | Penalties and interest waivers are only processed by authorized individuals; all waivers are reviewed and approved by Management. |
| G2-5.1.1 | G - Tax | G2 - Operations | Only appropriate tax payments are processed. | Fraudulent / inadequate tax payments are processed. | Fraudulent / inadequate tax payments are not processed, but are referred to Management for further action. |
| G2-6.1.1 | G - Tax | G2 - Operations | Unclaimed refunds / overpayments are returned to payers. | Unclaimed refunds / overpayments are not returned to payers nor escheated to the State. | Unclaimed refunds / overpayments are returned to payers or escheated to the State (see G.S. 116B). |
| G2-7.1.1 | G - Tax | G2 - Operations | Only authorized manual payments and adjustments are made. | Unauthorized payments and adjustments outside of County computer systems may be made. | All manual payments and adjustments are pre-approved by appropriate levels of management; management regularly scans transactions to ensure only authorized manual adjustments have been made. |
| G2-8.1.1 | G - Tax | G2 - Operations | Asset valuations are accurate and update appropriately; the appeals process is properly administered. | Asset valuations are not accurate. | Asset valuations are reviewed for accuracy (reasonableness versus similar properties). |
| G2-8.2.1 | G - Tax | G2 - Operations | Asset valuations are accurate and update appropriately; the appeals process is properly administered. | Asset valuations are not updated timely, resulting in lost revenue. | Asset valuations are updated on periodic basis. |
| G2-8.3.1 | G - Tax | G2 - Operations | Asset valuations are accurate and update appropriately; the appeals process is properly administered. | Asset valuations appeal process is not appropriately administered resulting in lost revenue, taxpayer dissatisfaction. | The asset valuations appeal process is monitored and reports are issued to County Management and the Board. |
| G3-1.1.1 | G - Tax | G3 - Tax Accounting | Tax recording adheres to US GAAP / GAAS and is in compliance with U.S., State and County tax laws and regulations. | New accounting, reporting, tax law and regulation changes may not be identified and reflected appropriately or timely in the income provision. | Significant new accounting and reporting issues are identified and documented as to impact on the tax provision. |
| G3-2.1.1 | G - Tax | G3 - Tax Accounting | Tax expense, assets and liabilities are accurately calculated and appropriately presented in the financial statements. | Tax related balances may be over / understated. | The adequacy of tax balances are reviewed by Management and adjustments are made as necessary. |
| G3-2.2.1 | G - Tax | G3 - Tax Accounting | Tax expense, assets and liabilities are accurately calculated and appropriately presented in the financial statements. | Errors may exist, resulting in inaccurate financial reporting. | The tax impacts for significant nonrecurring transactions are properly reflected in accruals and fund balances. |
| G3-2.3.1 | G - Tax | G3 - Tax Accounting | Tax expense, assets and liabilities are accurately calculated and appropriately presented in the financial statements. | Tax payments may not be timely, accurate and/or appropriately authorized. | Payments are agreed to underlying documentation, disbursed timely and are appropriately approved. |
| G3-3.1.1 | G - Tax | G3 - Tax Accounting | Property tax is properly calculated, recorded and the appropriate amount of property tax is collected and remitted to the correct jurisdiction. | Property tax notices may not be issued timely, accurately and / or appropriately authorized. | Payments are reconciled from property tax compliance software and the accounting system. |
| G3-3.2.1 | G - Tax | G3 - Tax Accounting | Property tax is properly calculated, recorded and the appropriate amount of property tax is collected and remitted to the correct jurisdiction. | Financial statements are misstated due to classification and / or entry errors. | Tax entries are properly authorized and posted correctly to general ledger and tax accounts. |
| G3-3.2.2 | G - Tax | G3 - Tax Accounting | Property tax is properly calculated, recorded and the appropriate amount of property tax is collected and remitted to the correct jurisdiction. | Financial statements are misstated due to classification and / or entry errors. | Tax balances are recorded according to generally accepted governmental accounting principles. |
| G3-3.2.3 | G - Tax | G3 - Tax Accounting | Property tax is properly calculated, recorded and the appropriate amount of property tax is collected and remitted to the correct jurisdiction. | Financial statements are misstated due to classification and / or entry errors. | Tax-related figures used for public dissemination have been agreed. |
| G3-3.2.4 | G - Tax | G3 - Tax Accounting | Property tax is properly calculated, recorded and the appropriate amount of property tax is collected and remitted to the correct jurisdiction. | Financial statements are misstated due to classification and / or entry errors. | Required (monthly) reconciliation of tax accounts is performed. |
| G3-3.2.5 | G - Tax | G3 - Tax Accounting | Property tax is properly calculated, recorded and the appropriate amount of property tax is collected and remitted to the correct jurisdiction. | Financial statements are misstated due to classification and / or entry errors. | Fees and revenues are transferred to the appropriate funds as required. |
| H1-1.1.1 | H - Financial Management | H1 - Cash and Debt Management | Financing (cash, etc.) strategies are optimized to meet County objectives. | The County's financing strategies may not be optimized, based on the current market conditions. | There is a review of strategies for cash, investment and debt management to ensure activities are optimized in accordance with County goals and market conditions. |
| H1-2.1.1 | H - Financial Management | H1 - Cash and Debt Management | All County bank accounts are established and operated by County Finance. | Banking activity authorizations may not be updated and changes may not be communicated to the banks, resulting in misappropriation of County funds. | Bank Account opening and closing is approved by authorized persons within County Finance. |
| H1-2.1.2 | H - Financial Management | H1 - Cash and Debt Management | All County bank accounts are established and operated by County Finance. | Banking activity authorizations may not be updated and changes may not be communicated to the banks, resulting in misappropriation of County funds. | Banking authorizations / official signatures are updated when personnel change and the list is reviewed, approved and communicated to the banks in a timely manner. |
| H1-2.2.1 | H - Financial Management | H1 - Cash and Debt Management | All County bank accounts are established and operated by County Finance. | Individuals may improperly process transactions and/or may be unaware of County policy, resulting in inaccurate financial reporting. | Access to banking systems and records is appropriately restricted and the list of authorized individuals is reviewed, at least annually, by management . |
| H1-2.2.2 | H - Financial Management | H1 - Cash and Debt Management | All County bank accounts are established and operated by County Finance. | Individuals may improperly process transactions and/or may be unaware of County policy, resulting in inaccurate financial reporting. | Updated, written procedures are maintained to document administration and accounting of all banking activities and cash transactions. |
| H1-3.1.1 | H - Financial Management | H1 - Cash and Debt Management | Movements of funds complies with the County's Cash Management Policy. | County funds may be diverted fraudulently and financial statements may not correctly reflect the County's financial position. | Adequate segregation of duties exists among the individuals: 1) approving movements / disbursements of funds; 2) initiating the movements / disbursements; and 3) releasing the funds. |
| H1-4.1.1 | H - Financial Management | H1 - Cash and Debt Management | Funds are disbursed to the correct payee, in the correct account, at the correct time and in the requested currency after receiving proper authorizations and approvals. | Fund transfers may be made without receiving proper authorization and approval, resulting in fraudulent banking activities. | Daily bank debit advice for all transfer of funds / disbursements are reviewed timely and discrepancies are investigated and resolved. |
| H1-4.2.1 | H - Financial Management | H1 - Cash and Debt Management | Funds are disbursed to the correct payee, in the correct account, at the correct time and in the requested currency after receiving proper authorizations and approvals. | Funds may not be delivered appropriately; i.e., incorrect payee, incorrect account or incorrect time, resulting in recovery risk for funds or financial property. | Independent verification is obtained before all fund transfers / disbursements to third parties are executed via the bank. |
| H1-4.2.2 | H - Financial Management | H1 - Cash and Debt Management | Funds are disbursed to the correct payee, in the correct account, at the correct time and in the requested currency after receiving proper authorizations and approvals. | Funds may not be delivered appropriately; i.e., incorrect payee, incorrect account or incorrect time, resulting in recovery risk for funds or financial property. | In the event of an emergency, procedures and policies are in place to ensure that cash can be transferred between bank accounts. |
| H1-5.1.1 | H - Financial Management | H1 - Cash and Debt Management | Controls are in place to ensure disbursements are properly approved, that adequate supporting documentation exists and that payment is accurately recorded. | Disbursements may be unauthorized, recorded for the wrong amount, recorded in the wrong period, or made for goods and services not received. | Stop payments required on checks or Electronic Funds Transfers (EFTs) are transacted in accordance with County policy and procedures, and Bank instructions. |
| H1-5.1.2 | H - Financial Management | H1 - Cash and Debt Management | Controls are in place to ensure disbursements are properly approved, that adequate supporting documentation exists and that payment is accurately recorded. | Disbursements may be unauthorized, recorded for the wrong amount, recorded in the wrong period, or made for goods and services not received. | All requests for wire transfers are properly approved by the department before being processed. |
| H1-6.1.1 & B5-2.1.1 | H - Financial Management | H1 - Cash and Debt Management | Only properly authorized personnel can generate manual payments. | Inappropriate manual payments may be generated without authorization. | The ability to generate manual payments is restricted. |
| H1-6.1.2 & B5-2.1.2 | H - Financial Management | H1 - Cash and Debt Management | Only properly authorized personnel can generate manual payments. | Inappropriate manual payments may be generated without authorization. | Manual disbursement activity is monitored and controlled by management to ensure there is proper cost authority approval and adequate supporting documentation. |
| H1-6.1.3 & B5-2.1.3 | H - Financial Management | H1 - Cash and Debt Management | Only properly authorized personnel can generate manual payments. | Inappropriate manual payments may be generated without authorization. | Blank checks, printed checks and check-stock are safeguarded from destruction or unauthorized use. Signature plates, where used, are safeguarded. All checks are issued numerically and accounted for on a periodic basis. |
| H1-7.1.1 | H - Financial Management | H1 - Cash and Debt Management | Escheatment payments are made timely and appropriately to the state and are minimized in accordance with County policy. | Untimely and incomplete reporting may result in fines and penalties. Failure to pursue check cashing by third parties may result in loss of relationship with customers, vendors and employees. | There is a mechanism in place to ensure that escheatment payments are minimized and are filed timely with the state. See G.S. 116B. |
| H1-8.1.1 | H - Financial Management | H1 - Cash and Debt Management | Cash balances are forecasted to ensure sufficient cash is available to meet County obligations. | Inaccurate, untimely, or unavailable information regarding cash inflows and outflows may result in failure to optimize the use of County funds. | Cash balances are forecasted on a daily basis using the most current available information. |
| H1-9.1.1 | H - Financial Management | H1 - Cash and Debt Management | The cash balance shown in the balance sheet is reconciled to bank balance monthly. | Unauthorized transactions may be processed and remain undetected which could result in misappropriation or temporary diversion of assets. | Bank accounts are reconciled to the general ledger monthly. |
| H1-9.2.1 | H - Financial Management | H1 - Cash and Debt Management | The cash balance shown in the balance sheet is reconciled to bank balance monthly. | The cash balance may be inaccurate, resulting in inaccurate financial reporting or fraud, which may not be detected or resolved in a timely manner. | All cash receipts and disbursements are promptly recorded in the general ledger when received or disbursed and a reconciliation is made at an appropriate frequency of all cash transactions to the general ledger. |
| H1-10.1.1 | H - Financial Management | H1 - Cash and Debt Management | Cash accounting systems and records are appropriately safeguarded. | Loss or unauthorized changes could go undetected. | Access to cash accounting systems and data is appropriately restricted and is reviewed at least annually by management. |
| H1-11.1.1 | H - Financial Management | H1 - Cash and Debt Management | Commercial paper is accurately recorded and reported in the financial statements. | Commercial paper authorizations may not be kept up to date and any changes may not be notified to banks, resulting in misappropriation of County funds. | Commercial paper transactions are executed only by authorized individuals. |
| H1-11.1.2 | H - Financial Management | H1 - Cash and Debt Management | Commercial paper is accurately recorded and reported in the financial statements. | Commercial paper authorizations may not be kept up to date and any changes may not be notified to banks, resulting in misappropriation of County funds. | Commercial paper official signatures are updated when personnel change and the list is reviewed, approved and communicated to the banks in a timely manner. |
| H1-11.1.3 | H - Financial Management | H1 - Cash and Debt Management | Commercial paper is accurately recorded and reported in the financial statements. | Commercial paper authorizations may not be kept up to date and any changes may not be notified to banks, resulting in misappropriation of County funds. | Executed commercial paper activity is compared to daily requirements and any unreconciled items are investigated and resolved promptly. |
| H1-11.2.1 | H - Financial Management | H1 - Cash and Debt Management | Commercial paper is accurately recorded and reported in the financial statements. | Commercial paper may be inaccurately recorded in the financial statements. | Commercial paper transactions are input into the Treasury management system by a person independent from the person who electronically matches and approves the transactions between Treasury management system and the clearing bank before cash transfers. |
| H1-11.2.2 | H - Financial Management | H1 - Cash and Debt Management | Commercial paper is accurately recorded and reported in the financial statements. | Commercial paper may be inaccurately recorded in the financial statements. | Commercial paper transactions, including principal and interest, are reviewed to ensure postings to general ledger accounts are correct and appropriate. |
| H1-12.1.1 | H - Financial Management | H1 - Cash and Debt Management | Financial instruments comply with the County investment policy. | Investments may be in violation of County policy or external regulations, resulting in excessive risks, penalties or losses. | Investment objectives are met in accordance with the County investment policy and all individuals responsible for such transactions are aware of prohibited investment transactions. |
| H1-12.2.1 | H - Financial Management | H1 - Cash and Debt Management | Financial instruments comply with the County investment policy. | Investments may be made in non-approved counterparties and/or risk exposure may be concentrated inappropriately. | Risk assessments are performed to monitor and develop approved investment limits with financial institutions. |
| H1-12.3.1 | H - Financial Management | H1 - Cash and Debt Management | Financial instruments comply with the County investment policy. | Investments may be made by unauthorized employees, resulting in misappropriation of County funds and/or non-compliance with County investment policies. | Investment official signatures are updated when personnel change and the list is reviewed, approved and communicated to the financial institutions in a timely manner. |
| H1-12.4.1 | H - Financial Management | H1 - Cash and Debt Management | Financial instruments comply with the County investment policy. | Instruments may not be held until maturity, resulting in unanticipated gain/loss. | Investment is done in accordance with County policy and the investment position is reviewed regularly to ensure compliance with investment guidelines. |
| H1-12.4.2 | H - Financial Management | H1 - Cash and Debt Management | Financial instruments comply with the County investment policy. | Instruments may not be held until maturity, resulting in unanticipated gain/loss. | Requests to redeem investments before their scheduled maturity date must be appropriately authorized. |
| H1-12.5.1 | H - Financial Management | H1 - Cash and Debt Management | Financial instruments comply with the County investment policy. | Investments, including interest on investments, may not be correctly valued, or recorded in the financial statements | Short term investments, including interest on investments, are reviewed to ensure postings to general ledger accounts are correct and appropriate. |
| H1-12.5.2 | H - Financial Management | H1 - Cash and Debt Management | Financial instruments comply with the County investment policy. | Investments, including interest on investments, may not be correctly valued, or recorded in the financial statements | The accounting treatment of financial instrument types is reviewed with Finance Department management prior to set up in the Treasury management system. |
| H1-12.6.1 | H - Financial Management | H1 - Cash and Debt Management | Financial instruments comply with the County investment policy. | Investment documents may be misappropriated, lost, or destroyed. | Stock certificates are obtained and physically safeguarded. |
| H1-13.1.1 | H - Financial Management | H1 - Cash and Debt Management | Settlements are disbursed to the correct payee, in the correct account, at the correct time, and in the requested currency. | Incorrect settlement of an investment transaction may occur; such as wrong amount, wrong counterparty etc., resulting in failure to optimize investment and/or misappropriation of County funds. | All settlements are confirmed before auctioning. Any deviations from standard procedures are reviewed to ensure appropriateness and correctness. |
| H1-14.1.1 | H - Financial Management | H1 - Cash and Debt Management | Investment systems and records are appropriately safeguarded. | Loss or unauthorized changes may go undetected. | Access to investment systems and records is appropriately restricted and is reviewed, at least annually, by management. |
| H1-15.1.1 | H - Financial Management | H1 - Cash and Debt Management | Adequate segregation of duties exist among the authorization, custody of assets, recording of transactions, and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities, and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| H1-16.1.1 | H - Financial Management | H1 - Cash and Debt Management | Debt financing is approved, recorded and reported in the financial statements. | Failure to establish or maintain appropriate relationship with financing sources may result in failure to optimize investment strategies. | Relationships are established with financing sources before financing is needed. Proper and current relationships are maintained to facilitate access to cash as the need arises. |
| H1-16.2.1 | H - Financial Management | H1 - Cash and Debt Management | Debt financing is approved, recorded and reported in the financial statements. | Debt financing transaction may not be properly authorized, approved, and/or recorded in the financial statements. | Debt financing is approved by authorized persons within the County. |
| H1-16.2.2 | H - Financial Management | H1 - Cash and Debt Management | Debt financing is approved, recorded and reported in the financial statements. | Debt financing transaction may not be properly authorized, approved, and/or recorded in the financial statements. | Debt financing official signatures are updated when personnel change and the list is reviewed, approved and communicated to the financial institutions in a timely manner. |
| H1-16.2.3 | H - Financial Management | H1 - Cash and Debt Management | Debt financing is approved, recorded and reported in the financial statements. | Debt financing transaction may not be properly authorized, approved, and/or recorded in the financial statements. | Debt instruments are entered into the Treasury management system and input is verified with term sheets. |
| H1-16.2.4 | H - Financial Management | H1 - Cash and Debt Management | Debt financing is approved, recorded and reported in the financial statements. | Debt financing transaction may not be properly authorized, approved, and/or recorded in the financial statements. | Rates and rate resets, where applicable, are input into the Treasury management system promptly. |
| H1-16.2.5 | H - Financial Management | H1 - Cash and Debt Management | Debt financing is approved, recorded and reported in the financial statements. | Debt financing transaction may not be properly authorized, approved, and/or recorded in the financial statements. | Changes in debt instruments (partial repayments, extension of maturities, change of terms, and drawdown) are input into the Treasury management system. |
| H1-16.2.6 | H - Financial Management | H1 - Cash and Debt Management | Debt financing is approved, recorded and reported in the financial statements. | Debt financing transaction may not be properly authorized, approved, and/or recorded in the financial statements. | Settlements of principal and interest are verified with the Treasury management system and with bank / trustee before payment. |
| H1-16.2.7 | H - Financial Management | H1 - Cash and Debt Management | Debt financing is approved, recorded and reported in the financial statements. | Debt financing transaction may not be properly authorized, approved, and/or recorded in the financial statements. | Debt transactions, including principal and interest, are reviewed to ensure postings to general ledger accounts are correct and appropriate. |
| H1-17.1.1 | H - Financial Management | H1 - Cash and Debt Management | Debt covenants are monitored and adhered to and financial statement disclosures are accurate. | Debt covenants may be violated and unresolved, resulting in financial risk of penalty and non-compliance with County policy. | On a periodic basis Management verifies that external debt is in compliance with the covenants contained in loan documentation. |
| H1-18.1.1 | H - Financial Management | H1 - Cash and Debt Management | Debt is managed in accordance with County objectives. | Information may be unavailable to forecast debt requirements, resulting in improper debt management. | Monthly debt report is provided to Senior management; actions to be taken are recorded. |
| H1-18.1.2 | H - Financial Management | H1 - Cash and Debt Management | Debt is managed in accordance with County objectives. | Information may be unavailable to forecast debt requirements, resulting in improper debt management. | Payment due dates are routinely monitored. |
| H1-19.1.1 | H - Financial Management | H1 - Cash and Debt Management | Debt management systems and records are appropriately safeguarded. | Loss or unauthorized changes may not be detected. | Access to debt management systems and records is appropriately restricted and is reviewed, at least annually, by management. |
| H1-20.1.1 | H - Financial Management | H1 - Cash and Debt Management | Escrowed funds are reviewed periodically (at least annually) and cleared as appropriate (may include escheatment). | Escrowed funds are used for other purposes or stolen. | Escrowed funds are reviewed monthly and cleared per County policies. An periodic review for escheatment is performed and documented semi-annually. An annual escheatment to the state is required (see G.S. 116B). |
| H1-21.1.1 | H - Financial Management | H1 - Cash and Debt Management | Adequate segregation of duties exist among the authorization, custody of assets, recording of transactions, and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities, and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| H2-1.1.1 | H - Financial Management | H2 - Financial Risk Management | The use of Financial Derivatives is approved and is in compliance with the County's derivative policy. | Agreements may not be compliant with the derivative policy and unauthorized hedging activities may take place, resulting in stand alone derivatives and unanticipated impact on earnings. | All currency and commodity risk management programs (including hedge strategies, derivative tools, accounting treatment) are approved by the County Management and reviewed by Finance / Treasury prior to implementation. |
| H2-1.2.1 | H - Financial Management | H2 - Financial Risk Management | The use of Financial Derivatives is approved and is in compliance with the County's derivative policy. | Agreements may not be compliant with the derivative policy and unauthorized hedging activities may take place, resulting in stand alone derivatives and unanticipated impact on earnings. | Management is made aware of what Embedded Financial Derivatives, Leases, Guarantees and Variable Interest Entities (VIEs) are and how to identify them prior to execution. Relevant information is communicated appropriately. |
| H2-1.3.1 | H - Financial Management | H2 - Financial Risk Management | The use of Financial Derivatives is approved and is in compliance with the County's derivative policy. | Derivative authorizations may not be updated and financial institutions may not be notified of changes. This may result in the misappropriation of County funds. | Derivatives are approved by authorized by Finance prior to entering the contracts or financial instrument. |
| H2-1.4.1 | H - Financial Management | H2 - Financial Risk Management | The use of Financial Derivatives is approved and is in compliance with the County's derivative policy. | Derivative authorizations may not be updated and financial institutions may not be notified of changes. This may result in the misappropriation of County funds. | Derivative authorizations/official signatures are updated when personnel change and the list is reviewed and communicated to the financial institutions in a timely manner. |
| H2-1.5.1 | H - Financial Management | H2 - Financial Risk Management | The use of Financial Derivatives is approved and is in compliance with the County's derivative policy. | Derivative authorizations may not be updated and financial institutions may not be notified of changes. This may result in the misappropriation of County funds. | Derivatives are promptly entered into the Treasury management systems and input is verified with a term sheet. |
| H2-1.6.1 | H - Financial Management | H2 - Financial Risk Management | The use of Financial Derivatives is approved and is in compliance with the County's derivative policy. | Penalties may be assessed for failure to settle contractual arrangements. | There is a mechanism to monitor pending settlement dates. |
| H2-2.1.1 | H - Financial Management | H2 - Financial Risk Management | Foreign Exchange or Commodity derivative and exposure is effective, correctly valued, and properly disclosed / presented. | Hedge accounting documentation may not be in accordance with accounting standards (e.g., FAS No.133) and/or the relationship between financial derivative and exposure becomes ineffective, resulting in loss. | Written policies/procedures identify required hedge accounting procedures and documentation, including contemporaneous hedge documentation, effectiveness testing, and assignment of specific hedge asset/liability to exposures. |
| H2-2.2.1 | H - Financial Management | H2 - Financial Risk Management | Foreign Exchange or Commodity derivative and exposure is effective, correctly valued, and properly disclosed / presented. | Derivative instruments' valuation and hedge effectiveness may be incorrectly calculated, resulting in inaccurate financial reporting. | Configuration, interfaces, models, spreadsheets, formulas and market data for any applicable systems and/or programs used to transact and value derivative activity is designed, implemented, maintained and reviewed for accuracy. |
| H2-3.1.1 | H - Financial Management | H2 - Financial Risk Management | Highly complex accounting related to derivatives and hedging instruments is properly performed, recorded and reported. | Financial statements and/or disclosures may be materially misstated if this accounting work is not performed correctly. | Sufficient Derivatives accounting expertise is in place or available to those responsible for managing / implementing derivative and hedging programs in the form of 1) up-front technical implementation guidance and 2) ongoing execution monitoring. |
| H2-4.1.1 | H - Financial Management | H2 - Financial Risk Management | Derivatives and hedging instruments are recorded properly in the financial statements; disclosures for external financial reporting are accurate and complete. | Derivative valuation may be incorrectly calculated. | Derivative valuations are accurate and agree to supporting documentation. |
| H2-4.1.2 | H - Financial Management | H2 - Financial Risk Management | Derivatives and hedging instruments are recorded properly in the financial statements; disclosures for external financial reporting are accurate and complete. | Derivative valuation may be incorrectly calculated. | Any modification to derivative contracts are appropriately authorized by management. |
| H2-4.1.3 | H - Financial Management | H2 - Financial Risk Management | Derivatives and hedging instruments are recorded properly in the financial statements; disclosures for external financial reporting are accurate and complete. | Material misstatements or errors may not be detected. | Derivative and hedging instruments are reviewed to ensure postings to general ledger accounts are correct and appropriate. |
| H2-5.1.1 | H - Financial Management | H2 - Financial Risk Management | Hedging systems, broker accounts and records are properly safeguarded. | Unauthorized trades or changes to systems and records may result in material financial exposure. | Access to hedge execution systems, broker accounts and records is appropriately restricted and is reviewed by Management, at least annually, and communicated to counterparties. |
| H2-6.1.1 | H - Financial Management | H2 - Financial Risk Management | Adequate segregation of duties exist among the authorization, custody of assets, recording of transactions, and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities, and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| H2-7.1.1 | H - Financial Management | H2 - Financial Risk Management | Financial guarantee transactions and related costs are properly documented, recorded, updated and reconciled in a timely manner to ensure accurate financial reporting. | Incorrect guarantee documentation, processing, and execution may result in inaccurate financial reporting. | Approved financing and other supporting documentation are on file for each Guarantee or Guarantee program. |
| H2-7.2.1 | H - Financial Management | H2 - Financial Risk Management | Financial guarantee transactions and related costs are properly documented, recorded, updated and reconciled in a timely manner to ensure accurate financial reporting. | Lack of knowledge of beneficiary's default on guaranteed loans may result in unaccounted debt / liability and related interest expense. | Guarantees are reconciled quarterly with bank confirmations for limits, amounts utilized and default status, either from lending institutions or beneficiaries, to ensure record accuracy. |
| H2-7.2.2 | H - Financial Management | H2 - Financial Risk Management | Financial guarantee transactions and related costs are properly documented, recorded, updated and reconciled in a timely manner to ensure accurate financial reporting. | Lack of knowledge of beneficiary's default on guaranteed loans may result in unaccounted debt / liability and related interest expense. | There is a mechanism in place to ensure that all guarantees are identified and then entered into the database. |
| H2-7.3.1 | H - Financial Management | H2 - Financial Risk Management | Financial guarantee transactions and related costs are properly documented, recorded, updated and reconciled in a timely manner to ensure accurate financial reporting. | Guarantees may not be accurately valued in accordance with accounting guidelines (e.g., FIN 45). | All financial guarantees are valued and reviewed quarterly in accordance with accounting guidelines. |
| H2-7.3.2 | H - Financial Management | H2 - Financial Risk Management | Financial guarantee transactions and related costs are properly documented, recorded, updated and reconciled in a timely manner to ensure accurate financial reporting. | Guarantees may not be accurately valued in accordance with accounting guidelines (e.g., FIN 45). | There is a documented process to ensure that banks provide notification in the event of a guarantee default. |
| H2-7.3.3 | H - Financial Management | H2 - Financial Risk Management | Financial guarantee transactions and related costs are properly documented, recorded, updated and reconciled in a timely manner to ensure accurate financial reporting. | Guarantees may not be accurately valued in accordance with accounting guidelines (e.g., FIN 45). | There is a feedback mechanism to limit guarantees issuances in the event of a default. |
| H2-8.1.1 | H - Financial Management | H2 - Financial Risk Management | Financial guarantee systems and records are appropriately safeguarded. | Loss or unauthorized changes may not be detected. | Access to guarantee systems and records is appropriately restricted and is reviewed by management at least annually. |
| H2-9.1.1 | H - Financial Management | H2 - Financial Risk Management | Adequate segregation of duties exist among the authorization, custody of assets, recording of transactions, and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities, and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| I1-1.1.1 | I - Risk Management | I1 - Risk Management | Senior Management and the Board of Commissioners are made aware of significant risks. | Senior management is unaware of potential risks and unable to take preventative actions to manage the risk. | County Management receives periodic updates of Risk Management activities. This updates includes new risks identified, ongoing risk mitigation activities and recent incidents. |
| I1-2.1.1 | I - Risk Management | I1 - Risk Management | A periodic risk assessment is performed. | Unknown risks develop and more costly / less effective efforts are required to mitigate the risk when discovered. | An annual risk assessment is performed for all County Departments. |
| I1-3.1.1 | I - Risk Management | I1 - Risk Management | Risks are ranked and categorized; higher ranked risks are addressed first. | Smaller risks are worked on while larger risks are left unaddressed. | A periodic (at least annual) risk evaluation and ranking are performed. |
| I1-4.1.1 | I - Risk Management | I1 - Risk Management | New risks are identified and tested. | Risks remain unknown and unaddressed. Risk liabilities may not be adequately disclosed in the County's financial statements. | Risk Management personnel attend appropriate conferences, webinars and other training opportunities to identify new risks. Benchmarking and other activities are also performed. |
| I1-4.1.2 | I - Risk Management | I1 - Risk Management | New risks are identified and tested. | Risks remain unknown and unaddressed. Risk liabilities may not be adequately disclosed in the County's financial statements. | When appropriate, reserves are established and funded. |
| I1-5.1.1 | I - Risk Management | I1 - Risk Management | Risks are monitored and mitigation activities are performed to reduce risk (resultant changes in risk scores are monitored). | Risks are not addressed and mitigation efforts are not performed. | Identified risks are noted, monitored and specific actions are planned to mitigate risks. |
| I1-5.1.2 | I - Risk Management | I1 - Risk Management | Risks are monitored and mitigation activities are performed to reduce risk (resultant changes in risk scores are monitored). | Risks are not addressed and mitigation efforts are not performed. | Risk mitigation activities are performed and results calculated and shared with management. |
| I1-6.1.1 | I - Risk Management | I1 - Risk Management | The knowledge of risk management is promoted throughout the organization. | Increased risks exist because basic risk management knowledge and principles are unknown. | The Risk Management Group proactively seeks out opportunities to educate County employees and related parties about identifying and mitigation risks. |
| I1-7.1.1 | I - Risk Management | I1 - Risk Management | Insurance systems and records are complete and accurate. | Loss or unauthorized changes may not be detected. | Information in County systems is reviewed at least annually to ensure completeness and accuracy. |
| I1-7.1.2 | I - Risk Management | I1 - Risk Management | Insurance systems and records are complete and accurate. | Loss or unauthorized changes may not be detected. | County information in third-party systems is reviewed at least annually to ensure completeness and accuracy. |
| I1-8.1.1 | I - Risk Management | I1 - Risk Management | Insurance systems and records are appropriately safeguarded. | Loss or unauthorized changes may not be detected. | Access to insurance systems and records is appropriately restricted and is reviewed by management at least annually. |
| I1-9.1.1 | I - Risk Management | I1 - Risk Management | Adequate segregation of duties exist among the authorization, custody of assets, recording of transactions, and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities, and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| I2-1.1.1 | I - Risk Management | I2 - Insurance Management | Insurance coverage is adequate for County purposes. | The County does not have adequate coverage to cover risks. | The Risk Management Group reviews County policies for adequacy of coverage. |
| I2-1.1.2 | I - Risk Management | I2 - Insurance Management | Insurance coverage is adequate for County purposes. | The County does not have adequate coverage to cover risks. | The Risk Management Group reviews contracts and other legally binding documents to ensure County risks are adequately mitigated. |
| I2-1.1.3 | I - Risk Management | I2 - Insurance Management | Insurance coverage is adequate for County purposes. | The County does not have adequate coverage to cover risks. | County risks are adequately covered in the event of a catastrophic incident. |
| I2-2.1.1 | I - Risk Management | I2 - Insurance Management | Insurance policies and premiums are managed to reduce costs while maintaining adequate coverage. | County insurance costs are greater than required. | Periodically (at least annually), insurance policies and premiums are reviewed for cost versus coverage considerations. |
| I2-3.1.1 | I - Risk Management | I2 - Insurance Management | Insurance policies and premiums are managed to understand and meet County performance requirements. | The County fails to meet performance requirements, incurring greater than required costs and/or dropped coverage. | At least annually insurance policies are reviewed for performance requirements; the County's performance against those requirements are evaluated. |
| I2-4.1.1 | I - Risk Management | I2 - Insurance Management | Insurance policies and premiums are managed to understand and evaluate the third-party insurance provider's performance requirements. | The third-party insurance provider fails to meet performance requirements resulting in insufficient coverage / greater exposure to risk for the County. | At least annually insurance provider performance requirements are reviewed and evaluated. |
| I2-5.1.1 | I - Risk Management | I2 - Insurance Management | Insurance claims and cases are effectively managed. | Higher costs than required are incurred; there exists a greater exposure to costly legal action. | Insurance claims are reviewed and then approved for compensability. |
| I2-5.1.2 | I - Risk Management | I2 - Insurance Management | Insurance claims and cases are effectively managed. | Higher costs than required are incurred; there exists a greater exposure to costly legal action. | Insurance claims (received and initiated) are monitored and proactively managed. |
| I2-5.1.3 | I - Risk Management | I2 - Insurance Management | Insurance claims and cases are effectively managed. | Higher costs than required are incurred; there exists a greater exposure to costly legal action. | Risk Management monitors and manages claims to facilitate employee's return to work. |
| I2-5.1.4 | I - Risk Management | I2 - Insurance Management | Insurance claims and cases are effectively managed. | Higher costs than required are incurred; there exists a greater exposure to costly legal action. | Invoices reflect agreed upon contractual prices. |
| I2-6.1.1 | I - Risk Management | I2 - Insurance Management | Claim reserves are established and monitored for adequacy against potential risk mitigation and payments. | Claim reserves are not adequate to fund risk mitigation and potential payments. Liabilities are not fully recognized in financial reports and statements. | Claim reserves are periodically reviewed to determine their adequacy to fund risk mitigation and potential payments. |
| J1-1.1.1 | J - Finance | J1 - Accounting Policy | The chart of accounts is designed to meet business / function financial reporting and financial consolidation requirements, and is periodically reviewed and updated. | The chart of accounts may not be updated for changes in accounting principles or current business and financial reporting requirements. | New accounting principles/business reporting requirements are communicated to and processed within accounting systems. |
| J1-1.1.2 | J - Finance | J1 - Accounting Policy | The chart of accounts is designed to meet business / function financial reporting and financial consolidation requirements, and is periodically reviewed and updated. | The chart of accounts may not be updated for changes in accounting principles or current business and financial reporting requirements. | The chart of account elements are reviewed periodically, at least annually, and then approved by Finance Management. |
| J1-1.2.1 | J - Finance | J1 - Accounting Policy | The chart of accounts is designed to meet business / function financial reporting and financial consolidation requirements, and is periodically reviewed and updated. | Active accounts may not be included in the chart of accounts structure. | Account classification and coding systems are adequate to allow for accurate and consistent financial statement classification. |
| J1-2.1.1 | J - Finance | J1 - Accounting Policy | A complete and current chart of accounts is defined in the County's accounting systems and system logic enforces the use of valid accounts for all accounting entries. | Invalid and/or wrong accounts may be used to record accounting entries and transactions. | System logic in the County accounting systems enforces the use of valid accounts for all accounting entries. |
| J1-3.1.1 | J - Finance | J1 - Accounting Policy | The chart of accounts is complete and accurate. | The chart of accounts may not be maintained completely and/or accurately, which may affect transactional postings. | A complete and current chart of accounts is defined in the County's accounting systems and system logic enforces the use of valid accounts for all accounting entries. |
| J1-3.1.2 | J - Finance | J1 - Accounting Policy | The chart of accounts is complete and accurate. | The chart of accounts (GCOA/Financial items, Legal Entity/Region, Business/FRB) may not be maintained completely and/or accurately, which may affect transactional postings. | Account additions, deletions and changes to account master data are appropriately reviewed, approved, and set up in the County's accounting systems (including mapping tables). |
| J1-4.1.1 | J - Finance | J1 - Accounting Policy | Only appropriate users are able to make changes in the chart of accounts (e.g., mapping, accounts and elements). | Financial accounting and reporting structures may be intentionally or unintentionally and inappropriately changed by users. | The ability to maintain the chart of accounts is restricted to appropriate users and the list of users is reviewed and approved annually. |
| J1-5.1.1 | J - Finance | J1 - Accounting Policy | External reporting adheres to Federal, State and local governmental accounting standards. | Financial Statements (or sub-components thereof) may be prepared and published and not be in compliance with Federal, State and local governmental accounting standards. | New accounting developments are monitored and applicability to the County is determined; policies and procedures for implementation of new accounting standards are defined, documented, communicated and adhered to. |
| J1-5.1.2 | J - Finance | J1 - Accounting Policy | External reporting adheres to Federal, State and local governmental accounting standards. | Financial Statements (or sub-components thereof) may be prepared and published and not be in compliance with Federal, State and local governmental accounting standards. | Accounting policies and procedures are written, kept current to facilitate compliance with Federal, State and local governmental requirements, and are consistently applied and enforced; any exceptions are documented. |
| J1-5.1.3 | J - Finance | J1 - Accounting Policy | External reporting adheres to Federal, State and local governmental accounting standards. | Financial Statements (or sub-components thereof) may be prepared and published and not be in compliance with Federal, State and local governmental accounting standards. | Sufficient accounting expertise is in place for consulting and guidance regarding the necessity for reporting and compliance with Federal, State and local governmental accounting standards and requirements. |
| J1-6.1.1 | J - Finance | J1 - Accounting Policy | Appropriate documentation support, including data sources, exists for all transactions, statements, reports, footnotes and disclosures. | Sufficient documentation (evidence) may not exist to justify accounting transactions and financial reports. | Appropriate support documentation, including data sources, exists and is maintained for all transactions, statements, reports, footnotes and disclosures. |
| J1-7.1.1 | J - Finance | J1 - Accounting Policy | Costs are appropriately established, calculated and recorded in accordance with County policy. | Costs may be incorrectly stated and result in inaccurate financial reporting. | Per County policy, including appropriate threshold amounts, entries are made to record liabilities for materials / services received for which invoices have not yet been received by the County or processed by Accounts Payable (“received not billed”). |
| J1-7.1.2 | J - Finance | J1 - Accounting Policy | Costs are appropriately established, calculated and recorded in accordance with County policy. | Costs may be incorrectly stated and result in inaccurate financial reporting. | Costs are reviewed to ensure they are classified correctly (e.g., period expense, cost or capital, etc.) and recorded in the proper period. |
| J1-7.1.3 | J - Finance | J1 - Accounting Policy | Costs are appropriately established, calculated and recorded in accordance with County policy. | Costs may be incorrectly stated and result in inaccurate financial reporting. | Management reviews cost variances between actual costs and estimates, outlooks, or history. Significant variances are investigated and resolved. |
| J2-1.1.1 | J - Finance | J2 - Accounting / Monthly Closing Process | Closing activities, procedures and authorizations are properly established. Accounting records are closed timely, accurately and prior period posting is prevented. | Abnormal and/or unauthorized closing activities may result in inaccurate financial reports and delay consolidation. | Procedures, including closing schedules, are issued and monitored to ensure proper cut-off at monthly, quarterly, and annual closing periods. |
| J2-1.1.2 | J - Finance | J2 - Accounting / Monthly Closing Process | Closing activities, procedures and authorizations are properly established. Accounting records are closed timely, accurately and prior period posting is prevented. | Abnormal and/or unauthorized closing activities may result in inaccurate financial reports and delay consolidation. | Internal time lines are developed and well-communicated in advance of each end of reporting period (month-end, quarter-end and year-end) to ensure financial reporting deadlines are met. The process of preparation and submission is monitored by management. |
| J2-1.2.1 | J - Finance | J2 - Accounting / Monthly Closing Process | Closing activities, procedures and authorizations are properly established. Accounting records are closed timely, accurately and prior period posting is prevented. | Posting to prior periods may impact the integrity of the financial statements. | Posting to closed and/or prior periods is restricted and monitored. |
| J2-2.1.1 | J - Finance | J2 - Accounting / Monthly Closing Process | Financial records of the County are updated based on properly authorized entries. | Duplicate, unauthorized, or incorrect journal entries may be posted. | Journal entries are properly documented, reviewed, and authorized. |
| J2-2.1.2 | J - Finance | J2 - Accounting / Monthly Closing Process | Financial records of the County are updated based on properly authorized entries. | Duplicate, unauthorized, or incorrect journal entries may be posted. | Spreadsheets used to calculate journal entries are reviewed in accordance with County policy. |
| J2-2.1.3 | J - Finance | J2 - Accounting / Monthly Closing Process | Financial records of the County are updated based on properly authorized entries. | Duplicate, unauthorized, or incorrect journal entries may be posted. | The accounting system does not allow for duplicate journal entry numbers and uses sequential numbering format and captures the date/time/user ID. |
| J2-2.1.4 | J - Finance | J2 - Accounting / Monthly Closing Process | Financial records of the County are updated based on properly authorized entries. | Duplicate, unauthorized, or incorrect journal entries may be posted. | System does not permit posting of an unbalanced journal entry. |
| J2-3.1.1 | J - Finance | J2 - Accounting / Monthly Closing Process | Access to post and approve journal entries is appropriately restricted. | An individual may post entries to fictitious or improper accounts. | System access and ability to post entries is appropriately restricted. |
| J2-4.1.1 | J - Finance | J2 - Accounting / Monthly Closing Process | During the closing process, account balances accurately and completely reflect the underlying transactions. | A journal entry may be omitted or important monthly closing step(s) may be missed, resulting in inaccurate financial reporting. | Appropriate documents (e.g. trial balances, ledger output, transaction listings, etc.) reflecting recording of transactions are reviewed before closing is final to ensure entries have been properly recorded. |
| J2-5.1.1 | J - Finance | J2 - Accounting / Monthly Closing Process | All liabilities have been identified and accrued completely, accurately and in compliance with GAAP/GAS and County policy. | Obligations may exist that are not recorded, resulting in inaccurate financial reporting. | Finance, working with each Department ensures all obligations (actual and contingent) have been identified, properly evaluated, and correctly recorded in the financial statements. |
| J2-5.1.2 | J - Finance | J2 - Accounting / Monthly Closing Process | All liabilities have been identified and accrued completely, accurately and in compliance with GAAP/GAS and County policy. | Obligations may exist that are not recorded, resulting in inaccurate financial reporting. | Reserve accounts are established in accordance with County policy. |
| J2-5.1.3 | J - Finance | J2 - Accounting / Monthly Closing Process | All liabilities have been identified and accrued completely, accurately and in compliance with GAAP/GAS and County policy. | Obligations may exist that are not recorded, resulting in inaccurate financial reporting. | Encumbrances for purchases are established; month-end / year-end encumbrance / rollover procedures are followed. See B2-3.1.1. |
| J2-6.1.1 | J - Finance | J2 - Accounting / Monthly Closing Process | All long-lived assets are verified for existence and properly valued. | Fair value declines may not be properly identified, valued, and recorded. | Property, plant and equipment (PP&E), intangibles and investments are reviewed / tested for impairment per the applicable accounting rules and guidelines for each asset category. |
| J2-6.1.2 | J - Finance | J2 - Accounting / Monthly Closing Process | All long-lived assets are verified for existence and properly valued. | Fair value declines may not be properly identified, valued, and recorded. | Other long-term assets, e.g., long-term accounts and notes receivable, advances, deposits, etc., are monitored and reviewed to ensure continuing existence, viability, and correct valuation. |
| J2-7.1.1 | J - Finance | J2 - Accounting / Monthly Closing Process | Legal entity financial data submitted to corporate is balanced and reconciled with legal entity accounting systems. | Errors could be missed, resulting in inaccurate financial reporting. | Sub-reporting systems (e.g., spreadsheets) are tied to the accounting systems and are reviewed during and after the closing process; differences are reconciled and documented. |
| J2-7.1.2 | J - Finance | J2 - Accounting / Monthly Closing Process | Legal entity financial data submitted to corporate is balanced and reconciled with legal entity accounting systems. | Errors could be missed, resulting in inaccurate financial reporting. | Balance sheet and income statement fluctuation analyses are performed prior to finalizing financial reports / statements and any significant fluctuations are investigated and resolved. |
| J2-7.1.3 | J - Finance | J2 - Accounting / Monthly Closing Process | Legal entity financial data submitted to corporate is balanced and reconciled with legal entity accounting systems. | Errors could be missed, resulting in inaccurate financial reporting. | Any differences across all financial statements are validated for completeness and correctness. |
| J2-8.1.1 | J - Finance | J2 - Accounting / Monthly Closing Process | General ledger account balances are correct. | Failure to reconcile accounts may lead to inaccurate financial reporting. | General ledger account reconciliations are performed in accordance with the County's account reconciliation policy. All unreconciled account balance information is collected each quarter. |
| J2-8.1.2 | J - Finance | J2 - Accounting / Monthly Closing Process | General ledger account balances are correct. | Failure to reconcile accounts may lead to inaccurate financial reporting. | Remediation plans for out of balances $30,000 or greater are monitored to ensure remediation occurs according to plan. |
| J2-9.1.1 | J - Finance | J2 - Accounting / Monthly Closing Process | Disclosures for financial reporting are reviewed by management for completeness and accuracy and agree to supporting documentation. | Transactions may not be properly approved, monitored, or recorded and may result in inaccurate external financial reporting. | Disclosures for financial reporting are reviewed by management for completeness and accuracy and agree to supporting documentation. |
| J3-1.1.1 | J - Finance | J3 - Specific Accounting Practices | Intercounty (e.g., tourism, school board) transaction out-of-balances are appropriately classified on the balance sheet. | InterCounty accounts may not be in balance (i.e. net to zero) and result in inaccurate financial reporting. | Intercounty imbalances are reviewed to ensure correct financial statement classification. |
| J3-1.1.2 | J - Finance | J3 - Specific Accounting Practices | Intercounty (e.g., tourism, school board) transaction out-of-balances are appropriately classified on the balance sheet. | InterCounty accounts may not be in balance (i.e. net to zero) and result in inaccurate financial reporting. | All intercounty transactions are reconciled in accordance with County policy. |
| J3-1.1.3 | J - Finance | J3 - Specific Accounting Practices | Intercounty (e.g., tourism, school board) transaction out-of-balances are appropriately classified on the balance sheet. | InterCounty accounts may not be in balance (i.e. net to zero) and result in inaccurate financial reporting. | Out-of-balances between all intercounty transactions are investigated monthly to determine root cause and fix problems. |
| J3-2.1.1 | J - Finance | J3 - Specific Accounting Practices | Intercounty payments / settlements are made accurately and timely. | Lack of settlement of intercounty payables / receivables within defined payment terms may result in incorrect financial reports. | Intercounty aging reports are reviewed monthly to ensure all past due invoice disputes are resolved and invoices are paid timely. |
| J3-3.1.1 | J - Finance | J3 - Specific Accounting Practices | Highly complex accounting and actuarial work related to pensions and OPEBS is properly performed, recorded and reported. | Financial statements and/or disclosures may be materially misstated if this accounting and actuarial work is not performed correctly. | Sufficient actuarial and accounting expertise is in place for the execution and accounting for pension and OPEB related transactions and disclosures. |
| J3-4.1.1 | J - Finance | J3 - Specific Accounting Practices | Footnote disclosure for pension meets requirements of applicable accounting standards. | Benefit obligation and expense may not be properly calculated and reported. | Plan participant data is reconciled and reviewed for reasonableness and consistency. |
| J3-4.1.2 | J - Finance | J3 - Specific Accounting Practices | Footnote disclosure for pension meets requirements of applicable accounting standards. | Benefit obligation and expense may not be properly calculated and reported. | Actuarial assumptions for measuring pension obligations are selected according to actuarial standards, reviewed and approved by management. |
| J3-4.1.3 | J - Finance | J3 - Specific Accounting Practices | Footnote disclosure for pension meets requirements of applicable accounting standards. | Benefit obligation and expense may not be properly calculated and reported. | Benefit obligations are calculated using the actuarial cost method, prescribed in pension accounting standards, and plan provisions, amendments, and activities effective during the measuring period. |
| J3-4.1.4 | J - Finance | J3 - Specific Accounting Practices | Footnote disclosure for pension meets requirements of applicable accounting standards. | Benefit obligation and expense may not be properly calculated and reported. | Significant events are monitored throughout the year and plan expense and disclosures are adjusted as necessitated by these events. |
| J3-4.1.5 | J - Finance | J3 - Specific Accounting Practices | Footnote disclosure for pension meets requirements of applicable accounting standards. | Benefit obligation and expense may not be properly calculated and reported. | Calculations to develop benefit obligation, pension expense and disclosure are reviewed annually and when remeasurement occurs in accordance with applicable accounting standards |
| J3-5.1.1 | J - Finance | J3 - Specific Accounting Practices | Disclosure for pension and OPEBS meets requirements of applicable accounting standards. | Pension and OPEBS footnote disclosure may not meet the requirements of applicable accounting standards. | Treasury and controllership reviews quarterly that the total County pension and OPEBS footnote meets the requirements of applicable accounting standards. |
| J3-5.1.2 | J - Finance | J3 - Specific Accounting Practices | Disclosure for pension and OPEBS meets requirements of applicable accounting standards. | Pension and OPEBS footnote disclosure may not meet the requirements of applicable accounting standards. | Actuarial certifications of the results of the calculations are made for pension and OPEBS to demonstrate that valuation by internal staff have been performed in accordance with the actuarial standards. |
| J3-6.1.1 | J - Finance | J3 - Specific Accounting Practices | Accrued liabilities and earnings charges related to post retirement benefits other than pension (OPEBS) are calculated correctly and in accordance with accounting standards. | Benefit obligations and earnings charges may not be calculated appropriately. | OPEBs demographic data is reconciled and reviewed for reasonableness and consistency. |
| J3-6.1.2 | J - Finance | J3 - Specific Accounting Practices | Accrued liabilities and earnings charges related to post retirement benefits other than pension (OPEBS) are calculated correctly and in accordance with accounting standards. | Benefit obligations and earnings charges may not be calculated appropriately. | Actuarial assumptions are reviewed and agreed by management. |
| J3-6.1.3 | J - Finance | J3 - Specific Accounting Practices | Accrued liabilities and earnings charges related to post retirement benefits other than pension (OPEBS) are calculated correctly and in accordance with accounting standards. | Benefit obligations and earnings charges may not be calculated appropriately. | Baseline claim matrix is developed according to standard actuarial procedures and methodology. |
| J3-6.1.4 | J - Finance | J3 - Specific Accounting Practices | Accrued liabilities and earnings charges related to post retirement benefits other than pension (OPEBS) are calculated correctly and in accordance with accounting standards. | Benefit obligations and earnings charges may not be calculated appropriately. | Benefit obligations are calculated accurately based on applicable accounting standards. |
| J3-6.1.5 | J - Finance | J3 - Specific Accounting Practices | Accrued liabilities and earnings charges related to post retirement benefits other than pension (OPEBS) are calculated correctly and in accordance with accounting standards. | Benefit obligations and earnings charges may not be calculated appropriately. | Benefit obligations are compared with prior year results and any adjustments made for general consistency and reasonableness are documented. |
| J3-6.1.6 | J - Finance | J3 - Specific Accounting Practices | Accrued liabilities and earnings charges related to post retirement benefits other than pension (OPEBS) are calculated correctly and in accordance with accounting standards. | Benefit obligations and earnings charges may not be calculated appropriately. | Significant events are monitored throughout the year, and disclosure and expense are adjusted if necessary. |
| J3-6.1.7 | J - Finance | J3 - Specific Accounting Practices | Accrued liabilities and earnings charges related to post retirement benefits other than pension (OPEBS) are calculated correctly and in accordance with accounting standards. | Benefit obligations and earnings charges may not be calculated appropriately. | Plan disclosure and benefit expense are calculated and reviewed in accordance with applicable accounting standards. |
| J3-7.1.1 | J - Finance | J3 - Specific Accounting Practices | Accrued liabilities and earnings charges related to post employment benefits are calculated correctly and in accordance with applicable accounting standards. | Benefit obligations and earnings charges may not be calculated appropriately. | Actuarial assumptions used in developing benefit obligation and expense are in accordance with applicable accounting standards, and are reviewed and approved by management. |
| J3-7.1.2 | J - Finance | J3 - Specific Accounting Practices | Accrued liabilities and earnings charges related to post employment benefits are calculated correctly and in accordance with applicable accounting standards. | Benefit obligations and earnings charges may not be calculated appropriately. | Benefit obligations and expense are calculated in accordance with applicable accounting standards. Results are compared with prior year's for reasonableness and consistency. |
| J3-8.1.1 | J - Finance | J3 - Specific Accounting Practices | "Incurred but not reported" (IBNR) claims reserve for claims incurred, but not reported for active employees is sufficient and adequate. | Reserve levels may be inappropriate and result in inaccurate reporting of earnings and liability. | "Incurred but not reported" (IBNR) reserve is calculated according to standard actuarial procedures and methodology. Results are compared with prior year's for reasonableness and consistency. |
| J3-8.1.2 | J - Finance | J3 - Specific Accounting Practices | "Incurred but not reported" (IBNR) claims reserve for claims incurred, but not reported for active employees is sufficient and adequate. | Reserve levels may be inappropriate and result in inaccurate reporting of earnings and liability. | The reserve balance is periodically reviewed versus actual claims expense to determine adequacy. |
| J3-9.1.1 | J - Finance | J3 - Specific Accounting Practices | Encumbrances ('rollovers') represent valid anticipated (future periods) payment by the County; the encumbrance transaction shows an outstanding commitment by the County. | Funding for future period commitments (payments) may not be reserved. | Approval is initiated by a request submitted to Finance to carry forward encumbered funds. Each request must be documented and justified by each department based on all outstanding encumbrances reported at May 31 of the fiscal year. The Finance Department will review the requests for carry-forward encumbrances for approval and will forward recommendations for action to Purchasing and Budget. The approved carry-forward amount, adjusted to include any payments in process, will be recorded in the next fiscal year. |
| J3-9.1.2 | J - Finance | J3 - Specific Accounting Practices | Encumbrances ('rollovers') represent valid anticipated (future periods) payment by the County; the encumbrance transaction shows an outstanding commitment by the County. | To bypass Budget processes, funds may be encumbered to transfer them between current and future budget periods. | No Control Exists; this is recognized and accepted as a risk. |
| J3-10.1.1 | J - Finance | J3 - Specific Accounting Practices | Plan assets, liabilities and accumulated other comprehensive income are properly displayed on the balance sheet. | Benefit Plan presentation on the balance sheet may not be in accordance with applicable accounting standards. | Finance / Accounting uses information provided by the actuaries to ensure proper entries are recorded and that benefit plan information is presented in the financial statements in accordance with applicable accounting standards. |
| J3-10.1.2 | J - Finance | J3 - Specific Accounting Practices | Plan assets, liabilities and accumulated other comprehensive income are properly displayed on the balance sheet. | Benefit Plan presentation on the balance sheet may not be in accordance with applicable accounting standards. | Financial statement presentation related to benefit plans is reviewed by management. |
| J3-11.1.1 | J - Finance | J3 - Specific Accounting Practices | The Chief Financial Officer complies with the North Carolina Local Government Budget and Fiscal Control Act. | The County fails to comply with the North Carolina Local Government Budget and Fiscal Control Act. County accounting and financial matters may not be properly executed, recorded and reported. | The Chief Financial Officer complies with the North Carolina Local Government Budget and Fiscal Control Act. |
| J3-11.1.2 | J - Finance | J3 - Specific Accounting Practices | The Chief Financial Officer complies with the North Carolina Local Government Budget and Fiscal Control Act. | The County fails to comply with the North Carolina Local Government Budget and Fiscal Control Act. County accounting and financial matters may not be properly executed, recorded and reported. | The Finance Officer is individually bonded per G.S. 159-29. |
| J4-1.1.1 | J - Finance | J4 - Guarantees, Derivatives and Foreign Exchange | Management is aware of the use of any embedded financial derivatives and/or guarantees. Relevant information is communicated appropriately. | Agreements may not be compliant with the derivative policy and unauthorized hedging activities may take place, resulting in stand alone derivatives and unanticipated financial impacts. | Management is made aware of any guarantees prior to execution. Relevant information is communicated appropriately. |
| J4-2.1.1 | J - Finance | J4 - Guarantees, Derivatives and Foreign Exchange | Financial guarantee transactions and related costs are properly documented, recorded, updated and reconciled in central repository in a timely manner to ensure accurate financial reporting. | Incorrect guarantee documentation, processing, and execution may result in inaccurate financial reporting. | Approved financing / other supporting documentation are on file with Finance for each Guarantee or Guarantee program. |
| J4-2.2.1 | J - Finance | J4 - Guarantees, Derivatives and Foreign Exchange | Financial guarantee transactions and related costs are properly documented, recorded, updated and reconciled in central repository in a timely manner to ensure accurate financial reporting. | Lack of knowledge of guaranteed loans may result in unaccounted debt / liability and related interest expense. | Written Guarantees are reconciled quarterly with bank confirmations for limits, amounts utilized and default status, either from lending institutions or beneficiaries, to ensure the record accuracy. |
| J4-2.2.2 | J - Finance | J4 - Guarantees, Derivatives and Foreign Exchange | Financial guarantee transactions and related costs are properly documented, recorded, updated and reconciled in central repository in a timely manner to ensure accurate financial reporting. | Lack of knowledge of guaranteed loans may result in unaccounted debt / liability and related interest expense. | There is a mechanism in place to ensure that all guarantees are identified and known by Finance. |
| J4-2.3.1 | J - Finance | J4 - Guarantees, Derivatives and Foreign Exchange | Financial guarantee transactions and related costs are properly documented, recorded, updated and reconciled in central repository in a timely manner to ensure accurate financial reporting. | Guarantees may not be accurately valued. | All financial guarantees are valued and reviewed quarterly. |
| J4-2.3.2 | J - Finance | J4 - Guarantees, Derivatives and Foreign Exchange | Financial guarantee transactions and related costs are properly documented, recorded, updated and reconciled in central repository in a timely manner to ensure accurate financial reporting. | Guarantees may not be accurately valued. | There is a feedback mechanism to limit guarantees issuances in the event of a default. |
| J4-3.1.1 | J - Finance | J4 - Guarantees, Derivatives and Foreign Exchange | Financial guarantee records are appropriately safeguarded. | Loss or unauthorized changes may not be detected. | Access to guarantee records is appropriately restricted and is reviewed by management at least annually. |
| J4-4.1.1 | J - Finance | J4 - Guarantees, Derivatives and Foreign Exchange | The use of Financial Derivatives is approved and is in compliance with the County's financial policies. | Agreements may not be compliant with the derivative policy and unauthorized hedging activities may take place, resulting in stand alone derivatives and unanticipated impact on earnings. | All currency and commodity risk management programs (including hedge strategies, derivative tools, accounting treatment) are approved by Finance Management. |
| J4-4.1.2 | J - Finance | J4 - Guarantees, Derivatives and Foreign Exchange | The use of Financial Derivatives is approved and is in compliance with the County's financial policies. | Agreements may not be compliant with the derivative policy and unauthorized hedging activities may take place, resulting in stand alone derivatives and unanticipated impact on earnings. | Management is made aware of any derivatives prior to execution. Relevant information is communicated appropriately. |
| J4-4.2.1 | J - Finance | J4 - Guarantees, Derivatives and Foreign Exchange | The use of Financial Derivatives is approved and is in compliance with the County's financial policies. | Derivative authorizations may not be updated and financial institutions may not be notified of changes. This may result in the misappropriation of County funds. | Derivatives are approved by authorized individuals Finance and County Management. |
| J4-4.2.2 | J - Finance | J4 - Guarantees, Derivatives and Foreign Exchange | The use of Financial Derivatives is approved and is in compliance with the County's financial policies. | Derivative authorizations may not be updated and financial institutions may not be notified of changes. This may result in the misappropriation of County funds. | Derivative authorizations / official signatures are updated when personnel change and the list is reviewed and communicated to the financial institutions in a timely manner. |
| J4-5.1.1 | J - Finance | J4 - Guarantees, Derivatives and Foreign Exchange | Foreign Exchange or Commodity derivative and exposure is effective, correctly valued, and properly disclosed / presented. | Derivative instruments' valuation and hedge effectiveness may be incorrectly calculated, resulting in inaccurate financial reporting. | Configuration, interfaces, models, spreadsheets, formulas and market data for any applicable systems and/or programs used to transact and value derivative activity is designed, implemented, maintained and reviewed for accuracy. |
| J4-6.1.1 | J - Finance | J4 - Guarantees, Derivatives and Foreign Exchange | Highly complex accounting related to derivatives and hedging instruments is properly performed, recorded and reported. | Financial statements and/or disclosures may be materially misstated if this accounting work is not performed correctly. | Sufficient Derivatives accounting expertise is in place in Finance and is provided to those responsible for managing/ implementing derivative and hedging programs in the form of 1) up-front technical implementation guidance and 2) ongoing execution monitoring. |
| J4-7.1.1 | J - Finance | J4 - Guarantees, Derivatives and Foreign Exchange | Derivatives and hedging instruments are recorded properly in the financial statements; disclosures for external financial reporting are accurate and complete. | Derivative valuation may be incorrectly calculated. | Derivative valuations are accurate and agree to supporting documentation. |
| J4-7.1.2 | J - Finance | J4 - Guarantees, Derivatives and Foreign Exchange | Derivatives and hedging instruments are recorded properly in the financial statements; disclosures for external financial reporting are accurate and complete. | Derivative valuation may be incorrectly calculated. | Any modification to derivative contracts are appropriately authorized by management. |
| J4-7.2.1 | J - Finance | J4 - Guarantees, Derivatives and Foreign Exchange | Derivatives and hedging instruments are recorded properly in the financial statements; disclosures for external financial reporting are accurate and complete. | Material misstatements or errors may not be detected. | Derivative and hedging instruments are reviewed to ensure postings to general ledger accounts are correct and appropriate. |
| J4-8.1.1 | J - Finance | J4 - Guarantees, Derivatives and Foreign Exchange | Foreign currency and exchanges are accounted for. | Published consolidated financial statements may not be in compliance with accounting standards and may contain material errors relative to conversion from foreign currencies to US dollars. | Foreign currency remeasurement and translation is performed monthly in accordance with County policy using correct published internal translation rates and such rates are reviewed for reasonableness. |
| J5-1.1.1 | J - Finance | J5 - Investments | Financing (cash, etc.) strategies are optimized to meet County objectives. | The County's financing strategies may not be optimized, based on the current market conditions and income may be lost. | There is a review of strategies for cash, investment, and debt management, to ensure activities are optimized in accordance with County goals and market conditions. |
| J5-2.1.1 | J - Finance | J5 - Investments | A written cash management and investment policy, approved by the governing board, is on file. | The County's financing strategies are not documented and followed. | A written cash management and investment policy, approved by the governing board, is on file. |
| J5-3.1.1 | J - Finance | J5 - Investments | Financial instruments comply with State and County investment policies (see G.S. 159-30 .159-30(a)). | Investments may be in violation of State and County investment policies or external regulations, resulting in excessive risks, penalties or losses. | Investment objectives are met in accordance with State and County investment policies and all individuals responsible for such transactions are aware of prohibited investment transactions. |
| J5-3.2.1 | J - Finance | J5 - Investments | Financial instruments comply with State and County investment policies (see G.S. 159-30 .159-30(a)). | Investments may be made in non-approved counterparties and/or risk exposure may be concentrated inappropriately. | Risk assessments are performed to monitor and develop approved investment limits with financial institutions. |
| J5-3.3.1 | J - Finance | J5 - Investments | Financial instruments comply with State and County investment policies (see G.S. 159-30 .159-30(a)). | Investments may be made by unauthorized employees, resulting in misappropriation of County funds and/or non-compliance with State and County investment policies. | Investment official signatures are updated when personnel change and the list is reviewed, approved and communicated to the financial institutions in a timely manner. |
| J5-3.4.1 | J - Finance | J5 - Investments | Financial instruments comply with State and County investment policies (see G.S. 159-30 .159-30(a)). | Instruments may not be held until maturity, resulting in unanticipated gains / losses. | Investment is done in accordance with State and County investment policies and the investment position is reviewed regularly to ensure compliance with investment guidelines. |
| J5-3.4.2 | J - Finance | J5 - Investments | Financial instruments comply with State and County investment policies (see G.S. 159-30 .159-30(a)). | Instruments may not be held until maturity, resulting in unanticipated gains / losses. | Requests to redeem investments before their scheduled maturity date must be authorized by the Director of Finance. |
| J5-3.5.1 | J - Finance | J5 - Investments | Financial instruments comply with State and County investment policies (see G.S. 159-30 .159-30(a)). | Investments, including interest on investments, may not be correctly valued, or recorded in the financial statements | Short term investments, including interest on investments, are reviewed to ensure postings to general ledger accounts are correct and appropriate. |
| J5-4.1.1 | J - Finance | J5 - Investments | Investment systems and records are appropriately safeguarded. | Loss or unauthorized changes may go undetected. | Access to investment systems and records is appropriately restricted and is reviewed, at least annually, by management. |
| J5-5.1.1 | J - Finance | J5 - Investments | All long-lived assets are verified for existence and properly valued. | Fair value declines may not be properly identified, valued, and recorded. | Intangibles are reviewed / tested for impairment per the applicable accounting rules and guidelines for each asset category. |
| J6-1.1.1 | J - Finance | J6 - Consolidation / Financial Statement Preparation | Consolidation of financial statements is complete. | Material misstatements or errors may not be detected. | All entities, which should be included in the consolidation process, are accounted for prior to consolidation. |
| J6-1.1.2 | J - Finance | J6 - Consolidation / Financial Statement Preparation | Consolidation of financial statements is complete. | Material misstatements or errors may not be detected. | The total County balance sheet and income statement, as reported, are balanced prior to being extracted into the consolidation system. |
| J6-2.1.1 | J - Finance | J6 - Consolidation / Financial Statement Preparation | Consolidation of financial statements is accurate. | Errors may be missed and result in inaccurate financial reporting. | Repetitive and non-repetitive consolidation and published adjustment vouchers are documented, reviewed, and authorized. |
| J6-2.1.2 | J - Finance | J6 - Consolidation / Financial Statement Preparation | Consolidation of financial statements is accurate. | Errors may be missed and result in inaccurate financial reporting. | Requests for post closing adjustments are tracked and any resulting entries are approved. A Summary of Unadjusted items is retained. |
| J6-2.1.3 | J - Finance | J6 - Consolidation / Financial Statement Preparation | Consolidation of financial statements is accurate. | Errors may be missed and result in inaccurate financial reporting. | Each month, fund balances are cross-checked for reasonableness to forecast and prior period data. Significant variances are investigated and explained. |
| J6-2.1.4 | J - Finance | J6 - Consolidation / Financial Statement Preparation | Consolidation of financial statements is accurate. | Errors may be missed and result in inaccurate financial reporting. | Quarterly, fluctuation analyses are performed on the financial statements, including balance sheet items, which are reviewed by management. Significant fluctuations are investigated prior to finalizing. |
| J6-2.1.5 | J - Finance | J6 - Consolidation / Financial Statement Preparation | Consolidation of financial statements is accurate. | Errors may be missed and result in inaccurate financial reporting. | Cash flow statement is prepared in compliance with applicable standards and is reviewed by management. |
| J7-1.1.1 | J - Finance | J7 - External Reporting | External reporting processes are forward-looking in order to ensure the County's ability to adhere to new reporting requirements. | New filing requirements may be enacted and the County may not be able to satisfy the new requirements. | Finance and Legal carefully monitor and assess the impact of new disclosure requirements so that external reporting processes can be implemented as needed to comply. |
| J7-2.1.1 | J - Finance | J7 - External Reporting | External reporting is prepared and submitted on a timely basis. | Late submissions may result in sanctions and a loss of credibility. | Internal time lines are developed and well-communicated in advance of each quarter-end and year-end to ensure published filing deadlines are met. |
| J7-3.1.1 | J - Finance | J7 - External Reporting | External reporting is complete and accurate. | Errors could be missed, resulting in inaccurate external financial publication. | Financial statement data / disclosures are run through multiple cross-checks to ensure reporting accuracy. |
| J7-3.1.2 | J - Finance | J7 - External Reporting | External reporting is complete and accurate. | Errors could be missed, resulting in inaccurate external financial publication. | GAAP / GAS checklists reporting guides are utilized to ensure all required disclosures are prepared. Special attention is given to new requirements (e.g., new GASB pronouncements). |
| J7-3.2.1 | J - Finance | J7 - External Reporting | External reporting is complete and accurate. | Errors could be missed, resulting in inaccurate external financial publication. | Shortly after quarter-end and shortly before filing of external reports, a litigation review is held with the County Attorney's Office to ensure accurate and complete reporting of significant litigation liabilities. |
| J7-3.2.2 | J - Finance | J7 - External Reporting | External reporting is complete and accurate. | Errors could be missed, resulting in inaccurate external financial publication. | Prior to filing of external reports, a review is held with other relevant / appropriate personnel to ensure accurate and complete reporting of all liabilities. |
| J7-3.2.3 | J - Finance | J7 - External Reporting | External reporting is complete and accurate. | Errors could be missed, resulting in inaccurate external financial publication. | Prior to filing of external reports a review is held with all appropriate personnel (both within and external to Finance) to ensure accurate and complete reporting of financial statements and disclosures. |
| J7-3.2.4 | J - Finance | J7 - External Reporting | External reporting is complete and accurate. | Errors could be missed, resulting in inaccurate external financial publication. | Shortly before filing, external reports are reviewed with senior County Management to ensure accurate and complete reporting of financial statements and disclosures. |
| J7-3.2.5 | J - Finance | J7 - External Reporting | External reporting is complete and accurate. | Errors could be missed, resulting in inaccurate external financial publication. | Shortly before filing, external reports are reviewed with the Audit Committee to ensure accurate and complete reporting of financial statements and disclosures. |
| J7-3.2.6 | J - Finance | J7 - External Reporting | External reporting is complete and accurate. | Errors could be missed, resulting in inaccurate external financial publication. | Roll-forward starting draft and all subsequent versions of external reports are controlled to ensure upgrades are not omitted, superseded data/disclosures are not incorrectly included, conflicting input is reconciled, and official final versions are filed as intended. |
| J7-3.2.7 | J - Finance | J7 - External Reporting | External reporting is complete and accurate. | Errors could be missed, resulting in inaccurate external financial publication. | Documentation support, including evidencing data sources and controls to data in financial statements, exists for all footnotes and disclosures. |
| J7-3.2.8 | J - Finance | J7 - External Reporting | External reporting is complete and accurate. | Errors could be missed, resulting in inaccurate external financial publication. | Disclosures for external reporting are reviewed by management for completeness and accuracy and agree to supporting documentation. |
| K1-1.1.1 | K Information Technology | K1 - Applications / Application Portfolio Management | Assess the effectiveness of the Application Portfolio Management (APM) framework in maintaining a complete and accurate inventory of applications. | Incomplete or outdated application inventory. | Regularly updated centralized application repository with mandatory data fields and governance reviews. |
| K1-1.1.2 | K Information Technology | K1 - Applications / Application Portfolio Management | Assess the effectiveness of the Application Portfolio Management (APM) framework in maintaining a complete and accurate inventory of applications. | Inadequate documentation of application dependencies. | Documentation of technical and business dependencies in the application registry. |
| K1-2.1.1 | K Information Technology | K1 - Applications / Application Portfolio Management | Evaluate governance and oversight mechanisms for application lifecycle management. | Absence of metrics to evaluate application performance or value. | Key Performance Indicators (KPI) dashboards and periodic reviews of cost, usage, and business impact. |
| K1-3.1.1 | K Information Technology | K1 - Applications / Application Portfolio Management | Verify alignment of applications with business goals and IT strategy. | Misalignment of applications with business objectives. | Strategic alignment reviews and scoring mechanisms for all portfolio entries. |
| K1-4.1.1 | K Information Technology | K1 - Applications / Application Portfolio Management | Assess controls for application rationalization, cost management, and redundancy elimination. | Redundant or underutilized applications increasing cost and complexity. | Application rationalization process including utilization metrics, business value scoring, and sunset plans. |
| K1-5.1.1 | K Information Technology | K1 - Applications / Application Portfolio Management | Evaluate data quality, ownership, and accountability across the application portfolio. | Lack of accountability for application ownership. | Defined application ownership roles and responsibilities with documented accountability matrix. |
| K1-5.1.2 | K Information Technology | K1 - Applications / Application Portfolio Management | Evaluate data quality, ownership, and accountability across the application portfolio. | Inconsistent classification or metadata tagging. | Standardized taxonomy and data entry validation for application attributes. |
| K1-6.1.1 | K Information Technology | K1 - Applications / Application Portfolio Management | Ensure security, compliance, and risk considerations are integrated into Application Portfolio Management (APM) processes. | Non-compliance with security, privacy, or regulatory requirements. | Integration of compliance checks into the application lifecycle (e.g., security reviews, data classification). |
| K1-7.1.1 | K Information Technology | K1 - Applications / Stakeholder Alignment and Management | Evaluate the identification and documentation of application stakeholders. | Stakeholders for critical applications are not properly identified or documented. | Maintain a stakeholder registry with application-level mapping and regular updates. |
| K1-8.1.1 | K Information Technology | K1 - Applications / Stakeholder Alignment and Management | Assess whether application requirements reflect stakeholder needs and expectations. | Application features do not meet stakeholder expectations. | Formal business requirement gathering and validation processes. |
| K1-9.1.1 | K Information Technology | K1 - Applications / Stakeholder Alignment and Management | Verify mechanisms for stakeholder engagement throughout the application lifecycle. | Lack of stakeholder involvement during application updates or lifecycle events. | Defined engagement model with touchpoints across the application lifecycle. |
| K1-10.1.1 | K Information Technology | K1 - Applications / Stakeholder Alignment and Management | Assess communication practices with application stakeholders regarding changes, incidents, and updates. | Stakeholders are not informed of critical application changes or incidents. | Communication plan including notification protocols and stakeholder-specific messaging. |
| K1-11.1.1 | K Information Technology | K1 - Applications / Stakeholder Alignment and Management | Evaluate whether stakeholder feedback is collected, tracked, and used for application improvement. | Stakeholder feedback is not captured or considered in decision making. | Feedback loop mechanisms including surveys, user testing, and issue tracking with resolution logs. |
| K1-12.1.1 | K Information Technology | K1 - Applications / Stakeholder Alignment and Management | Determine the alignment of application capabilities with business objectives and user needs. | Application does not align with business objectives or evolving user needs. | Periodic review of application relevance and functionality against business strategies. |
| K1-13.1.1 | K Information Technology | K1 - Applications / Requirements Gathering | Assess the effectiveness of processes used to gather business and technical requirements. | Incomplete or ambiguous requirements result in system failures or rework. | Use of standardized templates and peer reviews to ensure clarity and completeness. |
| K1-14.1.1 | K Information Technology | K1 - Applications / Requirements Gathering | Evaluate whether requirements are clearly documented, validated, and approved by stakeholders. | Requirements are not validated or approved by appropriate stakeholders. | Formal validation and sign-off procedures with documented approvals. |
| K1-15.1.1 | K Information Technology | K1 - Applications / Requirements Gathering | Determine whether requirements align with business objectives and regulatory needs. | Business objectives are not reflected in system requirements. | Requirements mapping to business goals and regulatory drivers. |
| K1-16.1.1 | K Information Technology | K1 - Applications / Requirements Gathering | Verify traceability of requirements throughout the system development lifecycle. | Lack of traceability from requirements to development and testing artifacts. | Use of traceability matrices to link requirements to design, code, and test cases. |
| K1-17.1.1 | K Information Technology | K1 - Applications / Requirements Gathering | Assess mechanisms for handling changes to requirements, including version control and impact analysis. | Uncontrolled changes to requirements during the project lifecycle. | Change control process with versioning and documented impact assessments. |
| K1-18.1.1 | K Information Technology | K1 - Applications / Requirements Gathering | Evaluate stakeholder involvement and communication during requirements gathering. | Insufficient stakeholder involvement during requirements gathering. | Structured stakeholder engagement plans and documentation of meetings/interviews. |
| K1-19.1.1 | K Information Technology | K1 - Applications / Application Strategy | Assess the alignment of the application strategy with business goals and digital transformation initiatives. | Application investments do not support strategic goals. | Defined application strategy aligned with enterprise architecture and business priorities. |
| K1-20.1.1 | K Information Technology | K1 - Applications / Application Strategy | Evaluate the governance processes for application portfolio decision-making (e.g., buy/build/retire). | Redundant, outdated, or underutilized applications. | Application portfolio management with regular reviews and rationalization policies. |
| K1-21.1.1 | K Information Technology | K1 - Applications / Application Strategy | Review whether the application lifecycle (acquisition, development, maintenance, decommission) is defined and followed. Verify cost, risk, and value considerations in application strategy decisions. | Inefficient buy/build/retire decisions. | Formal governance with cost-benefit and risk analysis for application lifecycle decisions. |
| K1-22.1.1 | K Information Technology | K1 - Applications / Application Strategy | Assess data and system integration planning within the application ecosystem. | Poor integration and interoperability. | Defined standards and roadmap for system integration and Application Programming Interface (API) management. |
| K1.23.1.1 | K Information Technology | K1 - Applications / Application Strategy | Ensure controls support the security, scalability, and modernization of key applications. | Security vulnerabilities in legacy or shadow applications. | Application risk assessments and modernization plans based on criticality and exposure. |
| K1.23.1.2 | K Information Technology | K1 - Applications / Application Strategy | Ensure controls support the security, scalability, and modernization of key applications. | Lack of scalability or flexibility in key applications. | Architecture principles emphasizing modularity, cloud-readiness, and scalability. |
| K1.23.1.3 | K Information Technology | K1 - Applications / Application Strategy | Ensure controls support the security, scalability, and modernization of key applications. | Missed opportunities for innovation or automation. | Innovation criteria incorporated into application investment planning. |
| K1-24.1.1 | K Information Technology | K1 - Applications / Application Development and Delivery | Evaluate the effectiveness and efficiency of the application development lifecycle (System Development Life Cycle (SDLC)/Agile/ Development Operations (DevOps)). | Applications fail to meet business requirements. | Defined requirements gathering and stakeholder sign-off processes. |
| K1-25.1.1 | K Information Technology | K1 - Applications / Application Development and Delivery | Assess adherence to secure coding practices, testing standards, and quality assurance. | Security vulnerabilities in code. | Secure coding guidelines and automated code scanning tools. |
| K1-26.1.1 | K Information Technology | K1 - Applications / Application Development and Delivery | Verify that application delivery meets business requirements, timelines, and budget constraints. | Poor software quality or bugs in production. | Comprehensive testing procedures and Quality Assurance (QA) environments. |
| K1-26.1.2 | K Information Technology | K1 - Applications / Application Development and Delivery | Verify that application delivery meets business requirements, timelines, and budget constraints. | Missed deadlines or budget overruns. | Project tracking and periodic progress reviews against baselines. |
| K1-27.1.1 | K Information Technology | K1 - Applications / Application Development and Delivery | Review controls for change management, code reviews, and deployment processes. | Uncontrolled changes and unauthorized deployments. | Formal change management and access-controlled deployment pipelines. |
| K1-28.1.1 | K Information Technology | K1 - Applications / Application Development and Delivery | Ensure compliance with data protection, regulatory, and privacy requirements during development. | Incompatibility or integration issues. | Architecture review boards and integration testing. |
| K1-29.1.1 | K Information Technology | K1 - Applications / Application Development and Delivery | Evaluate post-deployment support and defect resolution processes. | Non-compliance with privacy or regulatory standards. | Privacy impact assessments and data protection checklists. |
| K1-29.1.2 | K Information Technology | K1 - Applications / Application Development and Delivery | Evaluate post-deployment support and defect resolution processes. | Lack of monitoring or support post-deployment. | Incident and defect tracking systems with Service-Level Agreements (SLAs). |
| K1-30.1.1 | K Information Technology | K1 - Applications / Application Selection and Implementation | Evaluate the governance process for selecting applications aligned with business and technical requirements. | Application selected does not meet business needs. | Defined requirements gathering process and evaluation criteria. |
| K1-31.1.1 | K Information Technology | K1 - Applications / Application Selection and Implementation | Assess the due diligence performed during vendor evaluation and selection. | Inadequate vendor due diligence. | Formal Request for Proposal (RFP) / Request for Information (RFI) process and vendor scoring methodology. |
| K1-32.1.1 | K Information Technology | K1 - Applications / Application Selection and Implementation | Review the project planning and risk management practices used during implementation. | Project delays and budget overruns. | Project planning, resource management, and milestone tracking. |
| K1-33.1.1 | K Information Technology | K1 - Applications / Application Selection and Implementation | Verify the adequacy of testing, data migration, and user acceptance procedures. | Data loss or corruption during migration. | Data migration plans with validation and rollback procedures. |
| K1-34.1.1 | K Information Technology | K1 - Applications / Application Selection and Implementation | Ensure security, compliance, and data privacy requirements are addressed throughout the process. | Security and compliance gaps in the implemented system. | Security and privacy controls integrated into project lifecycle. |
| K1-35.1.1 | K Information Technology | K1 - Applications / Application Selection and Implementation | Determine whether implementation goals, budgets, and timelines were achieved. | Insufficient user adoption or training. | Training plans, stakeholder involvement, and change management practices. |
| K1-35.1.2 | K Information Technology | K1 - Applications / Application Selection and Implementation | Determine whether implementation goals, budgets, and timelines were achieved. | Inadequate testing before go-live. | Comprehensive test plans including User Acceptance Testing (UAT), performance, and regression testing. |
| K1-36.1.1 | K Information Technology | K1 - Applications / Application Maintenance | Assess whether application maintenance activities support business continuity and operational efficiency. | Unresolved bugs and performance issues. | Defined incident and problem management with escalation procedures. |
| K1-37.1.1 | K Information Technology | K1 - Applications / Application Maintenance | Evaluate the effectiveness of change management and patch management processes. | Unauthorized or undocumented changes to production applications. | Formal change management policies with approvals and rollback procedures. |
| K1-38.1.1 | K Information Technology | K1 - Applications / Application Maintenance | Verify that incident and problem management procedures ensure timely issue resolution. | Delayed application updates or patches. | Patch management schedules and vulnerability scanning. |
| K1-39.1.1 | K Information Technology | K1 - Applications / Application Maintenance | Ensure that maintenance activities are aligned with performance, compliance, and security requirements. | Poor application performance or downtime. | Monitoring and performance tuning procedures. |
| K1-40.1.1 | K Information Technology | K1 - Applications / Application Maintenance | Review the adequacy of documentation, version control, and release practices. | Non-compliance with regulatory or security requirements. | Maintenance activities reviewed for compliance and security alignment. |
| K1-40.1.2 | K Information Technology | K1 - Applications / Application Maintenance | Review the adequacy of documentation, version control, and release practices. | Loss of system knowledge due to undocumented updates. | Version control systems and update documentation requirements. |
| K1-41.1.1 | K Information Technology | K1 - Applications / Application Maintenance | Determine the adequacy of vendor support and Service-Level Agreements (SLAs) for third-party applications. | Vendor Service-Level Agreements (SLAs) not enforced or monitored. | Vendor performance reviews and Service-Level Agreement (SLA) monitoring reports. |
| K1-42.1.1 | K Information Technology | K1 - Applications / Enterprise Architecture | Evaluate the alignment of Enterprise Architecture (EA) with business strategies and goals. | IT initiatives are misaligned with business strategy. | Documented Enterprise Architecture (EA) framework integrated with business planning processes. |
| K1-43.1.1 | K Information Technology | K1 - Applications / Enterprise Architecture | Assess the governance structure and decision-making framework for Enterprise Architecture (EA) initiatives. | Inconsistent or conflicting technology decisions. | Defined architecture principles and technology standards. |
| K1-44.1.1 | K Information Technology | K1 - Applications / Enterprise Architecture | Verify that Enterprise Architecture (EA) principles, standards, and frameworks (e.g., The Open Group Architecture Framework (TOGAF), Zachman Framework) are defined and followed. | Siloed or redundant systems and data. | Centralized Enterprise Architecture (EA) governance and integration planning. |
| K1-45.1.1 | K Information Technology | K1 - Applications / Enterprise Architecture | Review how Enterprise Architecture (EA) enables integration, scalability, and agility across IT systems and platforms. | Lack of scalability and agility in systems. | Use of modular architecture and service-oriented designs. |
| K1-46.1.1 | K Information Technology | K1 - Applications / Enterprise Architecture | Assess the effectiveness of Enterprise Architecture (EA) in managing IT complexity, risk, and innovation. | Poor visibility into IT dependencies and impacts. | Comprehensive architecture documentation and system maps. |
| K1-46.1.2 | K Information Technology | K1 - Applications / Enterprise Architecture | Assess the effectiveness of Enterprise Architecture (EA) in managing IT complexity, risk, and innovation. | Ineffective governance of Enterprise Architecture (EA) initiatives. | Enterprise Architecture (EA) steering committees and architectural review boards. |
| K1-47.1.1 | K Information Technology | K1 - Applications / Enterprise Architecture | Ensure Enterprise Architecture (EA) artifacts (e.g., roadmaps, diagrams, repositories) are maintained and used in decision-making. | Stagnant architecture unable to support innovation. | Periodic reviews of Enterprise Architecture (EA) maturity and continuous improvement programs. |
| K1-48.1.1 | K Information Technology | K1 - Applications / IT Innovation Strategy | Assess the alignment of the IT innovation strategy with overall business goals and competitive advantage.. | Innovation efforts are misaligned with business goals. | Documented innovation strategy aligned with strategic planning. |
| K1-49.1.1 | K Information Technology | K1 - Applications / IT Innovation Strategy | Evaluate the governance, funding, and prioritization mechanisms for innovation initiatives. | Lack of governance over innovation investments. | Innovation councils and review boards with defined evaluation criteria. |
| K1-50.1.1 | K Information Technology | K1 - Applications / IT Innovation Strategy | Verify that innovation processes foster ideation, experimentation, and scaling of successful concepts. | Missed opportunities due to slow adoption of emerging technologies. | Horizon scanning, technology scouting, and pilot funding programs. |
| K1-51.1.1 | K Information Technology | K1 - Applications / IT Innovation Strategy | Review risk management, ethical, and compliance considerations in innovation projects. | Wasted resources on ineffective innovation initiatives. | Stage-gate process with business case development and ROI analysis. |
| K1-52.1.1 | K Information Technology | K1 - Applications / IT Innovation Strategy | Ensure mechanisms exist for capturing, evaluating, and measuring innovation outcomes. | Failure to scale successful pilots. | Defined pathways for scaling and enterprise integration of proven solutions. |
| K1-53.1.1 | K Information Technology | K1 - Applications / IT Innovation Strategy | Determine how emerging technologies are assessed, piloted, and integrated into enterprise capabilities. | Innovation introduces regulatory, security, or ethical risks. | Risk assessments, data governance, and legal reviews of innovation projects. |
| K1-53.1.2 | K Information Technology | K1 - Applications / IT Innovation Strategy | Determine how emerging technologies are assessed, piloted, and integrated into enterprise capabilities. | Low participation from employees or external partners. | Innovation platforms, incentive programs, and stakeholder engagement plans. |
| K1-54.1.1 | K Information Technology | K1 - Applications / IT Product Management | Evaluate the effectiveness of IT product lifecycle management from ideation to retirement. | Misalignment between IT products and business objectives. | Strategic product roadmaps aligned with business strategy. |
| K1-55.1.1 | K Information Technology | K1 - Applications / IT Product Management | Assess alignment of IT products with business strategy, customer needs, and stakeholder expectations. | Lack of governance over product investments. | Product governance committees with defined decision-making criteria. |
| K1-56.1.1 | K Information Technology | K1 - Applications / IT Product Management | Verify the governance framework for prioritization, funding, and decision-making. | Failure to meet customer expectations. | Customer feedback loops and product performance Key Performance Indicators (KPIs). |
| K1-57.1.1 | K Information Technology | K1 - Applications / IT Product Management | Ensure that risk, compliance, and security considerations are embedded throughout the product lifecycle. | Ineffective backlog or feature prioritization. | Agile/Lean prioritization frameworks and stakeholder review processes. |
| K1-57.1.2 | K Information Technology | K1 - Applications / IT Product Management | Ensure that risk, compliance, and security considerations are embedded throughout the product lifecycle. | Security or compliance gaps in products. | Integration of privacy, security, and compliance into product development and delivery. |
| K1-58.1.1 | K Information Technology | K1 - Applications / IT Product Management | Review performance monitoring, customer feedback mechanisms, and continuous improvement practices. | Delayed product releases and missed milestones. | Product management frameworks with timelines, budgets, and performance reviews. |
| K1-59.1.1 | K Information Technology | K1 - Applications / IT Product Management | Determine whether cross-functional collaboration is established among business, IT, and operations. | Lack of ownership or accountability. | Clear product owner roles and responsibilities defined in governance models. |
| K2-1.1.1 | K Information Technology | K2 - Infrastructure & Operations / Infrastructure Cloud Strategy | Assess whether the organization’s cloud strategy aligns with business and IT objectives. | Cloud strategy misaligned with business objectives. | Formalized and documented cloud strategy reviewed by executive leadership and aligned with enterprise goals. |
| K2-2.1.1 | K Information Technology | K2 - Infrastructure & Operations / Infrastructure Cloud Strategy | Evaluate governance and risk management processes related to cloud infrastructure. | Inadequate governance over cloud adoption and usage. | Defined governance framework for cloud services including roles, responsibilities, and policies. |
| K2-3.1.1 | K Information Technology | K2 - Infrastructure & Operations / Infrastructure Cloud Strategy | Ensure appropriate security, compliance, and data protection mechanisms are in place in the cloud environment. | Unauthorized access to cloud resources. | Implementation of Identity and Access Management (IAM), multi-factor authentication, and role-based access control. |
| K2-3.1.2 | K Information Technology | K2 - Infrastructure & Operations / Infrastructure Cloud Strategy | Ensure appropriate security, compliance, and data protection mechanisms are in place in the cloud environment. | Data breaches or loss due to poor security controls. | Encryption of data at rest and in transit, regular security assessments, and incident response planning. |
| K2-3.1.3 | K Information Technology | K2 - Infrastructure & Operations / Infrastructure Cloud Strategy | Ensure appropriate security, compliance, and data protection mechanisms are in place in the cloud environment. | Non-compliance with legal and regulatory requirements. | Compliance monitoring tools and processes integrated into cloud deployments. |
| K2-4.1.1 | K Information Technology | K2 - Infrastructure & Operations / Infrastructure Cloud Strategy | Verify cost management and optimization strategies for cloud infrastructure. | Uncontrolled cloud costs or budget overruns. | Cloud cost monitoring, budgeting tools, and regular review of usage and billing. |
| K2-5.1.1 | K Information Technology | K2 - Infrastructure & Operations / Infrastructure Cloud Strategy | Assess the adequacy of vendor and service-level management for cloud providers. | Dependence on a single cloud provider leading to vendor lock-in. | Cloud exit strategies and multi-cloud or hybrid cloud architectures. |
| K2-5.1.2 | K Information Technology | K2 - Infrastructure & Operations / Infrastructure Cloud Strategy | Assess the adequacy of vendor and service-level management for cloud providers. | Inadequate service levels and poor vendor performance. | Established Service-Level Agreements (SLAs) and regular vendor performance reviews. |
| K2-6.1.1 | K Information Technology | K2 - Infrastructure & Operations / Asset and Configuration Management | Evaluate the accuracy and timeliness of updates to asset and configuration data. | Unauthorized or untracked changes to assets or configuration items. | Integration of configuration management with change control processes. |
| K2-7.1.1 | K Information Technology | K2 - Infrastructure & Operations / Asset and Configuration Management | Assess whether asset and configuration management processes are aligned with organizational policies and standards. | Lack of asset lifecycle visibility leading to increased costs or vulnerabilities. | Defined asset lifecycle processes from procurement through disposal. |
| K2-8.1.1 | K Information Technology | K2 - Infrastructure & Operations / Asset and Configuration Management | Review access controls and security over the asset and configuration management tools and data. | Security vulnerabilities due to misconfigured or unknown assets. | Regular audits and configuration baselines aligned with security policies. |
| K2-8.1.2 | K Information Technology | K2 - Infrastructure & Operations / Asset and Configuration Management | Review access controls and security over the asset and configuration management tools and data. | Inadequate access control to asset and configuration records. | Role-based access to the Configuration Management Database (CMDB) and logging of changes. |
| K2-9.1.1 | K Information Technology | K2 - Infrastructure & Operations / Asset and Configuration Management | Evaluate integration with other Information Technology Service Management (ITSM) processes (e.g., change, incident, problem management). | Failure to identify interdependencies among configuration items. | Mapping and maintenance of relationships between Configuration Items (CIs) in the Configuration Management Database (CMDB). |
| K2-10.1.1 | K Information Technology | K2 - Infrastructure & Operations / Operations Management | Evaluate whether IT operations management processes align with organizational objectives and industry best practices. | Lack of alignment between IT operations and business objectives. | Documented IT operations strategy integrated with business goals and reviewed periodically. |
| K2-11.1.1 | K Information Technology | K2 - Infrastructure & Operations / Operations Management | Assess the adequacy of monitoring, incident, and problem management processes. | Unmonitored or undetected system failures leading to downtime. | Centralized monitoring tools and automated alerts for critical systems and infrastructure. |
| K2-11.1.2 | K Information Technology | K2 - Infrastructure & Operations / Operations Management | Assess the adequacy of monitoring, incident, and problem management processes. | Delayed response to incidents affecting service availability. | Formalized incident management process with defined Service-Level Agreements (SLAs) and escalation procedures. |
| K2-11.1.3 | K Information Technology | K2 - Infrastructure & Operations / Operations Management | Assess the adequacy of monitoring, incident, and problem management processes. | Recurring system issues due to ineffective problem management. | Root cause analysis performed for major incidents and implementation of corrective actions. |
| K2-12.1.1 | K Information Technology | K2 - Infrastructure & Operations / Operations Management | Verify the effectiveness of capacity, availability, and performance management practices. | Insufficient system capacity or poor performance. | Capacity and performance management processes, including trend analysis and forecasting. |
| K2-13.1.1 | K Information Technology | K2 - Infrastructure & Operations / Operations Management | Ensure that IT operations maintain compliance with security, regulatory, and governance requirements. | Non-compliance with regulatory or governance requirements. | Compliance monitoring embedded in operational processes and periodic audits. |
| K2-14.1.1 | K Information Technology | K2 - Infrastructure & Operations / Operations Management | Ensure that IT operations maintain compliance with security, regulatory, and governance requirements. | Unauthorized changes impacting operations stability. | Integration of change management controls with operations management processes. |
| K2-14.1.2 | K Information Technology | K2 - Infrastructure & Operations / Operations Management | Evaluate business continuity, backup, and recovery processes within IT operations. | Inadequate data backup and recovery capabilities. | Regularly tested backup and recovery procedures, aligned with recovery objectives Recovery Time Objectives / Recover Point Objectives (RTOs/RPOs). |
| K2-15.1.1 | K Information Technology | K2 - Infrastructure & Operations / Change and Release Management | Evaluate whether change and release management processes are designed to minimize risk and disruption to IT services. | Unauthorized or unapproved changes leading to system instability or security vulnerabilities. | Formal change approval workflows with documented authorization by a Change Advisory Board (CAB). |
| K2-16.1.1 | K Information Technology | K2 - Infrastructure & Operations / Change and Release Management | Verify that releases are deployed in a controlled, secure, and standardized manner. | Inadequate testing of changes causing production issues or outages. | Mandatory pre-implementation testing in controlled environments with documented results. |
| K2-17.1.1 | K Information Technology | K2 - Infrastructure & Operations / Change and Release Management | Determine whether rollback procedures exist and are effective in case of failed changes or releases. | Inability to recover quickly from failed changes or releases. | Documented rollback and contingency plans tested regularly to ensure effectiveness. |
| K2-18.1.1 | K Information Technology | K2 - Infrastructure & Operations / Change and Release Management | Assess the adequacy of controls ensuring that all changes are properly authorized, tested, documented, and approved before implementation. | Inadequate segregation of duties resulting in conflicts of interest and fraud risk. | Separation of development, testing, and production responsibilities enforced through access controls. |
| K2-18.1.2 | K Information Technology | K2 - Infrastructure & Operations / Change and Release Management | Assess the adequacy of controls ensuring that all changes are properly authorized, tested, documented, and approved before implementation. | Lack of standardized release management causing failed or inconsistent deployments. | Defined release management process with standard deployment checklists and automation where feasible. |
| K2-18.1.3 | K Information Technology | K2 - Infrastructure & Operations / Change and Release Management | Assess the adequacy of controls ensuring that all changes are properly authorized, tested, documented, and approved before implementation. | Changes not properly documented, leading to lack of accountability and poor auditability. | Comprehensive change logs and release documentation retained for audit and tracking purposes. |
| K2-19.1.1 | K Information Technology | K2 - Infrastructure & Operations / Change and Release Management | Ensure compliance with regulatory, security, and governance requirements in change and release processes. | Non-compliance with regulatory or internal policies in change processes. | Periodic compliance reviews and automated policy enforcement in change management tools. |
| K2-20.1.1 | K Information Technology | K2 - Infrastructure & Operations / Availability and Capacity Management | Assess whether IT availability and capacity management processes align with business requirements and Service-Level Agreements (SLAs). | Unplanned downtime leading to business disruption. | High-availability architecture, redundancy, failover mechanisms, and monitoring of uptime. |
| K2-21.1.1 | K Information Technology | K2 - Infrastructure & Operations / Availability and Capacity Management | Determine if capacity planning ensures adequate resources to meet current and future business demands. | Inadequate capacity planning causing performance degradation or service outages. | Regular capacity forecasting, trend analysis, and documented capacity plans aligned with business growth. |
| K2-21.1.2 | K Information Technology | K2 - Infrastructure & Operations / Availability and Capacity Management | Determine if capacity planning ensures adequate resources to meet current and future business demands. | Lack of defined Service-Level Agreements (SLAs) or misalignment with business requirements. | Documented and approved Service-Level Agreements (SLAs) with regular reviews and customer communication. |
| K2.22.1.1 | K Information Technology | K2 - Infrastructure & Operations / Availability and Capacity Management | Evaluate monitoring processes to detect, report, and address capacity and availability issues proactively. | Delayed detection of availability or capacity issues. | Continuous monitoring tools with automated alerts and incident escalation procedures. |
| K2-23.1.1 | K Information Technology | K2 - Infrastructure & Operations / Availability and Capacity Management | Verify that availability and capacity considerations are integrated into IT service design, continuity planning, and vendor management. | Inefficient use of IT resources leading to waste or increased costs. | Periodic capacity utilization reviews, optimization initiatives, and cost-benefit analysis. |
| K2-24.1.1 | K Information Technology | K2 - Infrastructure & Operations / Availability and Capacity Management | Ensure reporting and governance practices provide transparency and accountability for availability and capacity performance. | Dependency on third-party vendors without sufficient availability guarantees. | Vendor Service-Level Agreements (SLAs) reviewed, monitored, and enforced through contract management. |
| K2-24.1.2 | K Information Technology | K2 - Infrastructure & Operations / Availability and Capacity Management | Ensure reporting and governance practices provide transparency and accountability for availability and capacity performance. | Insufficient integration with disaster recovery and business continuity planning. | Capacity and availability requirements embedded in continuity and recovery strategies. |
| K2-24.1.3 | K Information Technology | K2 - Infrastructure & Operations / Availability and Capacity Management | Ensure reporting and governance practices provide transparency and accountability for availability and capacity performance. | Lack of reporting and governance oversight. | Regular management reporting, dashboards, and periodic reviews of capacity and availability Key Performance Indicators (KPIs). |
| K2-25.1.1 | K Information Technology | K2 - Infrastructure & Operations / Incident and Problem Management | Evaluate whether incident and problem management processes are defined, documented, and aligned with Information Technology Infrastructure Library (ITIL)/industry best practices. | Without structured incident/problem management, issues may not be resolved in a timely manner, causing prolonged business disruption. | Formal incident and problem management policies and procedures aligned with Information Technology Infrastructure Library (ITIL) are documented, approved, and communicated. |
| K2-26.1.1 | K Information Technology | K2 - Infrastructure & Operations / Incident and Problem Management | Evaluate whether incident and problem management processes are defined, documented, and aligned with Information Technology Infrastructure Library (ITIL)/industry best practices. | Incidents may not be logged consistently, leading to missed tracking, duplicate work, or delayed resolution. | Centralized ticketing system enforces mandatory fields for categorization, prioritization, and assignment. |
| K2-27.1.1 | K Information Technology | K2 - Infrastructure & Operations / Incident and Problem Management | Assess the effectiveness of incident handling in minimizing downtime and business disruption. Ensure problem management identifies root causes and implements permanent solutions. | Problems recur due to lack of thorough analysis and permanent fixes. | Root Cause Analysis (RCA) methodology is defined, documented, and used for all major problems. |
| K2-28.1.1 | K Information Technology | K2 - Infrastructure & Operations / Incident and Problem Management | Confirm roles, responsibilities, and escalation paths are clearly defined and followed. | Delays occur when critical incidents are not escalated to the right teams. | Automated escalation rules and documented escalation paths are in place. |
| K2-28.1.2 | K Information Technology | K2 - Infrastructure & Operations / Incident and Problem Management | Confirm roles, responsibilities, and escalation paths are clearly defined and followed. | Business stakeholders are not informed of incidents or resolutions, reducing trust in IT. | Incident communication plans (including severity levels and notification protocols) are documented and tested. |
| K2-29.1.1 | K Information Technology | K2 - Infrastructure & Operations / Incident and Problem Management | Verify compliance with Service-Level Agreements (SLAs), regulatory requirements, and organizational policies. | Failure to meet Service-Level Agreements (SLA) response and resolution times can reduce business satisfaction and increase operational risk. | Service-Level Agreements (SLAs) compliance dashboards and automated alerts track resolution performance. |
| K2-30.1.1 | K Information Technology | K2 - Infrastructure & Operations / Incident and Problem Management | Assess monitoring, reporting, and continuous improvement mechanisms. | Management cannot identify recurring issues or measure performance. | Regular reporting on incident volume, problem resolution time, Service-Level Agreement (SLA) adherence, and trend analysis is conducted. |
| K2-31.1.1 | K Information Technology | K2 - Infrastructure & Operations / Service Desk | Evaluate the effectiveness and efficiency of Service Desk operations. | Incidents and service requests are not consistently recorded or tracked. | Mandatory logging and unique ticketing for all user contacts. |
| K2-32.1.1 | K Information Technology | K2 - Infrastructure & Operations / Service Desk | Determine whether incidents and service requests are logged, categorized, prioritized, and resolved according to defined procedures. | Inconsistent categorization and prioritization of incidents. | Use of standardized templates, drop-down fields, and decision trees. |
| K2-33.1.1 | K Information Technology | K2 - Infrastructure & Operations / Service Desk | Assess compliance with Service-Level Agreements (SLAs) and performance targets. | Service-Levels are not monitored or enforced. | Service level monitoring tools and periodic Service-Level Agreement (SLA) performance reviews. |
| K2-34.1.1 | K Information Technology | K2 - Infrastructure & Operations / Service Desk | Verify the adequacy of escalation procedures and communication with users. | Users are unaware of ticket status or resolution steps. | Automated notifications and user-accessible ticket tracking portals. |
| K2-35.1.1 | K Information Technology | K2 - Infrastructure & Operations / Service Desk | Verify the adequacy of escalation procedures and communication with users. | Recurring issues are not identified or analyzed. | Problem management process and incident trend analysis reporting. |
| K2-36.1.1 | K Information Technology | K2 - Infrastructure & Operations / Service Desk | Assess the quality and usefulness of documentation, knowledge base, and training materials. Review user satisfaction measurement and feedback mechanisms. | User dissatisfaction due to delays or poor support. | Regular user satisfaction surveys and feedback review process. |
| K2-37.1.1 | K Information Technology | K2 - Infrastructure & Operations / Business Continuity Management (BCM) | Evaluate the design and implementation of the organization's business continuity management program. | Lack of formal continuity planning. | Documented Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) aligned with business priorities. |
| K2-38.1.1 | K Information Technology | K2 - Infrastructure & Operations / Business Continuity Management (BCM) | Verify the existence and adequacy of Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs). | Inability to recover from disruptions. | Defined recovery strategies and Recovery Time Objective (RTO)/ Recovery Point Objective (RPO) for critical systems. |
| K2-39.1.1 | K Information Technology | K2 - Infrastructure & Operations / Business Continuity Management (BCM) | Assess the organization's ability to recover critical IT systems and business processes in the event of a disruption. | Plans not tested or updated regularly. | Scheduled plan reviews and simulation exercises. |
| K2-40.1.1 | K Information Technology | K2 - Infrastructure & Operations / Business Continuity Management (BCM) | Ensure periodic testing, review, and update of continuity plans. | Unclear roles and responsibilities during crises. | Crisis management structure with training and contact rosters. |
| K2-41.1.1 | K Information Technology | K2 - Infrastructure & Operations / Business Continuity Management (BCM) | Assess alignment of continuity strategies with Business Impact Analysis (BIA) results and risk assessments. | Non-compliance with regulatory or industry continuity standards. | Monitoring compliance with standards like International Organization for Standardization (ISO) 22301, National Institute for Standards and Technology (NIST). |
| K2-42.1.1 | K Information Technology | K2 - Infrastructure & Operations / Business Continuity Management (BCM) | Evaluate roles, responsibilities, training, and awareness of personnel involved in continuity management. | Lack of employee awareness. | Business Continuity Management (BCM) awareness campaigns, onboarding training, and refreshers. |
| K2-43.1.1 | K Information Technology | K2 - Infrastructure & Operations / Business Continuity Management (BCM) | Verify integration of Business Continuity Management (BCM) with third-party and supply chain resilience practices. | Third-party outages impacting operations. | Vendor resilience assessment and continuity clauses in contracts. |
| K2-44.1.1 | K Information Technology | K2 - Infrastructure & Operations / Service Management | Evaluate whether IT Service Management (ITSM) processes align with business objectives and Information Technology Infrastructure Library (ITIL)/industry best practices. | Lack of a defined IT service management framework. | Documented IT Service Management (ITSM) policies and procedures aligned with Information Technology Infrastructure Library (ITIL) or International Organization for Standardization (ISO) 20000. |
| K2-45.1.1 | K Information Technology | K2 - Infrastructure & Operations / Service Management | Assess the effectiveness of IT Service Management (ITSM) policies, governance, and procedures in ensuring service delivery. | Misalignment between IT services and business needs. | Regular service reviews with stakeholders, service catalog linked to business objectives. |
| K2-46.1.1 | K Information Technology | K2 - Infrastructure & Operations / Service Management | Confirm that service levels are defined, monitored, and reported consistently. | Poor incident and problem handling leading to prolonged outages. | Centralized service desk, ticketing tool, incident/problem escalation procedures. |
| K2-47.1.1 | K Information Technology | K2 - Infrastructure & Operations / Service Management | Confirm that service levels are defined, monitored, and reported consistently. | Service-Level agreements (SLAs) not defined or enforced. | Documented Service-Level Agreements (SLAs) with automated monitoring and reporting dashboards. |
| K2-48.1.1 | K Information Technology | K2 - Infrastructure & Operations / Service Management | Verify that incident, problem, change, release, and service request management processes are integrated within service management. | Inconsistent change and release management leading to service disruptions. | Formalized change/release management process with approvals and testing. |
| K2-49.1.1 | K Information Technology | K2 - Infrastructure & Operations / Service Management | Verify that incident, problem, change, release, and service request management processes are integrated within service management. | Lack of integration across IT Service Management (ITSM) processes (incident, problem, change, etc.). | Information Technology Service Management (ITSM) platform integrates service processes with workflow automation. |
| K2-50.1.1 | K Information Technology | K2 - Infrastructure & Operations / Service Management | Evaluate whether service management supports continuous improvement and customer satisfaction. | Insufficient performance monitoring and reporting. | Regular Key Performance Indicators/Service-Level Agreement (KPI/SLA) reports to management and service owners. |
| K2-51.1.1 | K Information Technology | K2 - Infrastructure & Operations / Service Management | Evaluate whether service management supports continuous improvement and customer satisfaction. | Failure to adopt continuous improvement. | Post-implementation reviews, lessons learned, CSI (Continual Service Improvement) program. |
| K2-52.1.1 | K Information Technology | K2 - Infrastructure & Operations / Service Management | Ensure compliance with contractual, regulatory, and organizational requirements. | Non-compliance with regulatory or contractual obligations. | Compliance monitoring, vendor Service-Level Agreement (SLA) oversight, and periodic audits. |
| K3-1.1.1 | K Information Technology | K3 - Information Security Services / Security and Privacy Strategy | Evaluate the existence, adequacy, and alignment of the organization's security and privacy strategy with business objectives and regulatory requirements. | Lack of a formal security and privacy strategy leads to inconsistent or reactive risk management. | Documented and approved enterprise-wide security and privacy strategy aligned with objectives. |
| K3-2.1.1 | K Information Technology | K3 - Information Security Services / Security and Privacy Strategy | Assess governance and oversight mechanisms in place to manage security and privacy risks. | Failure to comply with laws and regulations regarding data protection and privacy. | Regular legal reviews and compliance assessments; integration of regulatory updates into policies. |
| K3-3.1.1 | K Information Technology | K3 - Information Security Services / Security and Privacy Strategy | Verify that risk assessments, policies, and controls are implemented and updated regularly. | Security and privacy risks not assessed or monitored regularly. | Defined roles and accountability frameworks (e.g., Chief Information Security Officer (CISO), Data Protection Officer (DPO)). |
| K3-3.1.2 | K Information Technology | K3 - Information Security Services / Security and Privacy Strategy | Verify that risk assessments, policies, and controls are implemented and updated regularly. | Unclear responsibilities for security and privacy management. | Mandatory training programs and periodic awareness campaigns. |
| K3-4.1.1 | K Information Technology | K3 - Information Security Services / Security and Privacy Strategy | Determine whether roles and responsibilities for security and privacy are clearly defined and communicated. Assess training, awareness, and incident response capabilities related to security and privacy. | Employees unaware of security and privacy obligations. | Periodic enterprise risk assessments and continuous monitoring tools. |
| K3-5.1.1 | K Information Technology | K3 - Information Security Services / Security and Privacy Strategy | Evaluate how security and privacy considerations are integrated into projects, systems, and operations. | Delayed response to security or privacy incidents. | Documented and tested incident response and data breach notification procedures. |
| K3-6.1.1 | K Information Technology | K3 - Information Security Services / Privacy Program Management | Evaluate the design and implementation of the organization’s privacy program. | Lack of a formal privacy program. | Approved privacy program framework, policy, and charter. |
| K3-7.1.1 | K Information Technology | K3 - Information Security Services / Privacy Program Management | Assess compliance with applicable privacy laws and regulations (e.g., Health Insurance Portability and Accountability Act (HIPAA), Criminal Justice Information Services (CJIS)). | Non-compliance with laws and regulations. | Regular legal reviews, gap assessments, and policy updates. |
| K3-8.1.1 | K Information Technology | K3 - Information Security Services / Privacy Program Management | Verify governance structures and clearly defined roles and responsibilities (e.g., Data Protection Officer (DPO)). | Undefined privacy responsibilities and governance. | Appointment of Data Protection Officer (DPO); documented accountability matrix. |
| K3-9.1.1 | K Information Technology | K3 - Information Security Services / Privacy Program Management | Ensure effective data inventory and mapping of personal data throughout its lifecycle. | Incomplete personal data inventory and flow maps. | Data mapping exercises and periodic updates to data inventories. |
| K3-10.1.1 | K Information Technology | K3 - Information Security Services / Privacy Program Management | Evaluate policies, procedures, and training to promote privacy awareness. | Lack of employee awareness. | Mandatory privacy training and phishing/privacy awareness campaigns. |
| K3-11.1.1 | K Information Technology | K3 - Information Security Services / Privacy Program Management | Review mechanisms for managing data subject rights, such as access, correction, deletion, and consent. | Inability to fulfill data subject rights (e.g., access, deletion). | Defined Data Subject Access Request (DSAR) process with documented Service-Level Agreements (SLAs). |
| K3-12.1.1 | K Information Technology | K3 - Information Security Services / Privacy Program Management | Assess the organization’s readiness and response capabilities for privacy-related incidents and breaches. | Delayed breach notification or incident handling. | Documented breach response plan and periodic tabletop exercises. |
| K3-13.1.1 | K Information Technology | K3 - Information Security Services / Privacy Program Management | Ensure there are continuous monitoring and improvement mechanisms in place. | No tracking or improvement of privacy practices. | Key Performance Indicators (KPIs), internal audits, and external assessments on privacy controls. |
| K3-14.1.1 | K Information Technology | K3 - Information Security Services / Security Operations | Assess the effectiveness of security operations in detecting, preventing, and responding to threats. | Delayed detection and response to security incidents. | 24/7 Security Operations Center (SOC) monitoring with incident response playbooks. |
| K3-15.1.1 | K Information Technology | K3 - Information Security Services / Security Operations | Evaluate the structure, staffing, and capabilities of the Security Operations Center (SOC). | Security events not properly logged or analyzed. | Security Information and Event Management (SIEM) tools with log correlation. |
| K3-16.1.1 | K Information Technology | K3 - Information Security Services / Security Operations | Verify that security monitoring, alerting, and incident response procedures are in place and followed. | Unpatched vulnerabilities exploited by attackers. | Automated vulnerability scanning and patch management processes. |
| K3-17.1.1 | K Information Technology | K3 - Information Security Services / Security Operations | Ensure that vulnerabilities are identified, assessed, and remediated in a timely manner. | Lack of coordination during incident response. | Documented and tested incident response plan with defined roles. |
| K3-18.1.1 | K Information Technology | K3 - Information Security Services / Security Operations | Review the integration of threat intelligence, Security Information and Event Management (SIEM), and security automation tools. | Incomplete visibility into endpoints, networks, or cloud environments. | Centralized visibility using Endpoint Detection and Response (EDR), Network Detection and Response (NDR), and cloud security tools. |
| K3-19.1.1 | K Information Technology | K3 - Information Security Services / Security Operations | Determine compliance with internal policies, industry standards, and regulatory requirements. | Ineffective use of threat intelligence. | Integration of threat feeds and contextual intelligence into monitoring processes. |
| K3-19.1.2 | K Information Technology | K3 - Information Security Services / Security Operations | Determine compliance with internal policies, industry standards, and regulatory requirements. | Non-compliance with standards such as National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), or Center for Internet Security (CIS). | Security controls mapped to compliance frameworks and periodically assessed. |
| K3-20.1.1 | K Information Technology | K3 - Information Security Services / Security Management | Assess the effectiveness of the organization’s security management framework and strategy. | Security policies and procedures are outdated or not followed. | Regularly reviewed and approved information security policies. |
| K3-21.1.1 | K Information Technology | K3 - Information Security Services / Security Management | Verify the existence and implementation of policies, standards, and procedures governing security. | Lack of accountability for security responsibilities. | Defined roles, responsibilities, and ownership of security functions. |
| K3-22.1.1 | K Information Technology | K3 - Information Security Services / Security Management | Evaluate how security roles and responsibilities are defined, communicated, and executed. | Security risks are not identified or assessed properly. | Formalized risk assessment and risk treatment processes. |
| K3-23.1.1 | K Information Technology | K3 - Information Security Services / Security Management | Ensure risk management practices are in place to identify, assess, and mitigate security threats. | Unauthorized access to systems or data. | Access controls, authentication mechanisms, and periodic access reviews. |
| K3-24.1.1 | K Information Technology | K3 - Information Security Services / Security Management | Review how physical, logical, and administrative security controls are maintained and monitored. | Inadequate physical and environmental protections. | Physical access controls, surveillance, and secure facility design. |
| K3-24.1.2 | K Information Technology | K3 - Information Security Services / Security Management | Review how physical, logical, and administrative security controls are maintained and monitored. | Security incidents go undetected or unaddressed. | Incident management procedures, monitoring tools, and response teams. |
| K3-25.1.1 | K Information Technology | K3 - Information Security Services / Security Management | Verify compliance with regulatory, legal, and industry standards related to information security. | Failure to meet regulatory and compliance requirements. | Security program aligned with applicable laws and regulations (e.g., Health Insurance Portability and Accountability Act (HIPAA), Criminal Justice Information Services (CJIS)). |
| K3-26.1.1 | K Information Technology | K3 - Information Security Services / Identity and Access Management | Evaluate the design and effectiveness of identity and access management controls. | Excessive or unauthorized access to systems and data. | Role-based access controls and least privilege enforcement. |
| K3-27.1.1 | K Information Technology | K3 - Information Security Services / Identity and Access Management | Ensure that access to systems and data is provisioned based on the principle of least privilege. | Access not removed for terminated or transferred employees. | Automated de-provisioning and HR system integration. |
| K3-28.1.1 | K Information Technology | K3 - Information Security Services / Identity and Access Management | Verify that access rights are reviewed and updated regularly. | Lack of periodic access reviews. | Scheduled and documented access recertification processes. |
| K3-29.1.1 | K Information Technology | K3 - Information Security Services / Identity and Access Management | Assess user authentication mechanisms and controls (e.g., Multi-Factor Authentication (MFA), password policies). | Weak authentication mechanisms. | Use of Multi-Factor Authentication (MFA) and strong password policies. |
| K3-30.1.1 | K Information Technology | K3 - Information Security Services / Identity and Access Management | Ensure that terminated or transferred users’ access is removed or updated promptly. | Inadequate control over privileged accounts. | Privileged access management (PAM) solutions and activity monitoring. |
| K3-31.1.1 | K Information Technology | K3 - Information Security Services / Identity and Access Management | Evaluate privileged access management and monitoring. | Shared or generic accounts usage. | Accountability through unique user IDs and prohibition of shared accounts. |
| K3-32.1.1 | K Information Technology | K3 - Information Security Services / Identity and Access Management | Ensure that Identity and Access Management (IAM) practices comply with regulatory and organizational policies. | Identity and Access Management (IAM) processes not aligned with regulations. | Compliance assessments and policy enforcement. |
| K3-33.1.1 | K Information Technology | K3 - Information Security Services / Risk Management | Evaluate the effectiveness of the security risk management framework. | Security risks are not systematically identified. | Standardized risk assessment methodology and periodic risk assessments. |
| K3-34.1.1 | K Information Technology | K3 - Information Security Services / Risk Management | Evaluate the effectiveness of the security risk management framework. | Unclear ownership of security risk. | Documented risk ownership and accountability assignments. |
| K3-35.1.1 | K Information Technology | K3 - Information Security Services / Risk Management | Assess whether security risks are consistently identified, assessed, and prioritized. | Inadequate prioritization of high-impact risks. | Risk scoring and categorization aligned with impact and likelihood. |
| K3-35.1.2 | K Information Technology | K3 - Information Security Services / Risk Management | Assess whether security risks are consistently identified, assessed, and prioritized. | Lack of action on known risks. | Risk treatment plans with deadlines, resources, and monitoring. |
| K3-36.1.1 | K Information Technology | K3 - Information Security Services / Risk Management | Review whether residual risks are documented and accepted by appropriate authorities. | Residual risks are not reviewed or accepted. | Formal residual risk acceptance and sign-off procedures. |
| K3-37.1.1 | K Information Technology | K3 - Information Security Services / Risk Management | Determine the adequacy of communication and escalation of risks to senior leadership and stakeholders. | Lack of visibility into enterprise-wide risk posture. | Centralized risk register and reporting to executive leadership. |
| K3-38.1.1 | K Information Technology | K3 - Information Security Services / Risk Management | Verify that appropriate risk mitigation strategies are developed, implemented, and monitored. Ensure security risk management activities align with business objectives and compliance requirements. | Failure to align with regulatory risk management standards. | Risk management aligned with National Institute for Standards and Technology (NIST), International Organization for Standardization (ISO) 27005, or similar frameworks. |
| K3-39.1.1 | K Information Technology | K3 - Information Security Services / Internal Controls and Assurance | Assess the design and operating effectiveness of internal security controls. Verify that security controls align with established frameworks (e.g., National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO) 27001, Control Objectives for Information and Related Technologies COBIT). | Inadequate security controls to protect critical systems and data. | Documented control framework aligned to National Institute for Standards and Technology (NIST), International Organization for Standardization (ISO) 27001, or Center for Internet Security (CIS). |
| K3-40.1.1 | K Information Technology | K3 - Information Security Services / Internal Controls and Assurance | Determine whether internal controls mitigate known and emerging security risks. | Security controls not functioning as intended. | Periodic control testing and monitoring of effectiveness. |
| K3-41.1.1 | K Information Technology | K3 - Information Security Services / Internal Controls and Assurance | Evaluate the adequacy of control testing, documentation, and assurance processes. | No accountability for control failures. | Assignment of control ownership and escalation protocols. |
| K3-42.1.1 | K Information Technology | K3 - Information Security Services / Internal Controls and Assurance | Review the independence, frequency, and coverage of internal security assessments. | Internal audits lack independence or rigor. | Use of qualified, independent internal auditors and third-party assessments. |
| K3-43.1.1 | K Information Technology | K3 - Information Security Services / Internal Controls and Assurance | Ensure management takes timely corrective actions based on security control deficiencies. | Security findings are not addressed. | Formal process for tracking remediation actions and deadlines. |
| K3-43.1.2 | K Information Technology | K3 - Information Security Services / Internal Controls and Assurance | Ensure management takes timely corrective actions based on security control deficiencies. | Controls are not updated for new risks or technologies. | Annual review and refresh of control environment based on threat landscape. |
| K3-43.1.3 | K Information Technology | K3 - Information Security Services / Internal Controls and Assurance | Ensure management takes timely corrective actions based on security control deficiencies. | Compliance gaps are not identified or reported. | Regular compliance assessments with documented exceptions and plans. |
| K3-44.1.1 | K Information Technology | K3 - Information Security Services / Compliance Management | Assess the effectiveness of the security compliance management framework. | Failure to identify applicable compliance requirements. | Compliance register updated with relevant laws, standards, and contracts. |
| K3-45.1.1 | K Information Technology | K3 - Information Security Services / Compliance Management | Verify that regulatory, legal, and contractual security requirements are identified and documented. | Security controls do not meet regulatory requirements. | Security control framework mapped to compliance standards (e.g., Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI), Criminal Justice Information Services (CJIS)). |
| K3-46.1.1 | K Information Technology | K3 - Information Security Services / Compliance Management | Verify that regulatory, legal, and contractual security requirements are identified and documented. | Inconsistent documentation of compliance evidence. | Centralized compliance documentation repository with access controls. |
| K3-47.1.1 | K Information Technology | K3 - Information Security Services / Compliance Management | Evaluate processes for mapping security controls to compliance obligations. | Delayed or missed compliance assessments. | Scheduled assessments with defined roles and timelines. |
| K3-48.1.1 | K Information Technology | K3 - Information Security Services / Compliance Management | Determine the adequacy and timeliness of compliance assessments and audits. | Non-compliance findings not addressed. | Issue tracking system with deadlines, owners, and verification of remediation. |
| K3-49.1.1 | K Information Technology | K3 - Information Security Services / Compliance Management | Ensure that non-compliance issues are remediated and escalated appropriately. | Lack of awareness about compliance responsibilities. | Mandatory compliance training and role-based awareness programs. |
| K3-50.1.1 | K Information Technology | K3 - Information Security Services / Compliance Management | Review staff training and awareness programs related to security compliance. | Failure to report compliance status to management. | Regular compliance dashboards and reporting to senior leadership. |
| K4-1.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Governance | Assess the existence and effectiveness of the data governance framework. | Lack of formal data governance framework. | Documented data governance policies, structure, and oversight. |
| K4-2.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Governance | Verify roles and responsibilities for data ownership, stewardship, and accountability. | Unclear roles for data ownership and accountability. | Defined roles for data owners, stewards, and custodians. |
| K4-3.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Governance | Evaluate the implementation of data classification, quality, and lifecycle management policies. | Poor data quality impacting decisions. | Data quality standards and validation rules implemented. |
| K4-4.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Governance | Determine if controls exist to ensure data integrity, availability, and confidentiality. | Inconsistent data classification and protection. | Established data classification policy and aligned access controls. |
| K4-4.1.2 | K Information Technology | K4 - Data & Analytic Services / Data Governance | Determine if controls exist to ensure data integrity, availability, and confidentiality. | Data retention or deletion not managed. | Data lifecycle management and archiving policies in place. |
| K4-5.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Governance | Review compliance with regulatory and internal data management requirements. | Non-compliance with data-related laws. | Ongoing compliance monitoring against regulations (e.g., Health Insurance Portability and Accountability Act (HIPAA), Criminal Justice Information Services (CJIS)). |
| K4-6.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Governance | Assess how data governance supports data-driven decision-making and analytics. Evaluate monitoring and enforcement mechanisms for data policies and standards. | Ineffective enforcement of data policies. | Automated policy enforcement tools and exception tracking. |
| K4-7.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Strategy | Evaluate whether the organization has a formalized data strategy aligned with business objectives. | Lack of a formalized data strategy, leading to inconsistent data practices. | Documented enterprise-wide data strategy approved by senior leadership. |
| K4-8.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Strategy | Assess the governance structure supporting data ownership, stewardship, and accountability. | Misalignment between data strategy and business objectives. | Regular alignment meetings between data governance office and business stakeholders. |
| K4-8.1.2 | K Information Technology | K4 - Data & Analytic Services / Data Strategy | Assess the governance structure supporting data ownership, stewardship, and accountability. | Undefined roles and responsibilities for data governance. | Established data governance framework with clear data owners, stewards, and custodians. |
| K4-9.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Strategy | Determine whether data strategy includes considerations for data quality, integrity, privacy, and security. | Poor data quality impacting analytics and decisions. | Data quality standards, monitoring tools, and remediation procedures. |
| K4-10.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Strategy | Confirm that the strategy supports effective data integration, analytics, and decision-making. | Non-compliance with data privacy, security, and retention requirements. | Data policies aligned with Federal and State standards (e.g., Health Insurance Portability and Accountability Act (HIPAA), Criminal Justice Information Services (CJIS)). |
| K4-11.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Strategy | Verify alignment of the data strategy with regulatory, contractual, and industry best practices. | Insufficient integration across enterprise applications and data sources. | Data architecture blueprint, Master Data Management (MDM), and integration tools. |
| K4-12.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Strategy | Assess whether the strategy incorporates innovation and scalability (cloud, Artificial Intelligence (AI)/ Machine Learning (ML), big data). | Lack of innovation or scalability in the strategy. | Strategic roadmap incorporating cloud data platforms, Artificial Intelligence/Machine Learning (AI/ML), and scalability planning. |
| K4-13.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Strategy | Evaluate the monitoring and performance measurement mechanisms for the data strategy. | Ineffective measurement of data strategy performance. | Defined Key Performance Indicators (KPIs)/metrics (data accuracy, completeness, timeliness, usage). |
| K4-13.1.2 | K Information Technology | K4 - Data & Analytic Services / Data Strategy | Evaluate the monitoring and performance measurement mechanisms for the data strategy. | Overreliance on third-party vendors without oversight. | Vendor data management policies, Service-Level Agreements (SLAs), and periodic compliance reviews. |
| K4-14.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Insights and Analytics | Evaluate whether the organization has a defined strategy for data analytics aligned with business goals. | Analytics not aligned with business objectives, resulting in irrelevant insights. | Documented analytics strategy linked to business goals with stakeholder input. |
| K4-15.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Insights and Analytics | Assess whether data analytics processes ensure accuracy, reliability, and timeliness of insights. | Use of incomplete, inaccurate, or inconsistent data. | Data validation checks, data quality monitoring, and reconciliation processes. |
| K4-16.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Insights and Analytics | Verify that data sources feeding analytics are complete, validated, and authorized. | Lack of governance and accountability in analytics reporting. | Defined roles for data scientists, analysts, and business owners with approval processes. |
| K4-17.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Insights and Analytics | Determine whether appropriate governance, roles, and responsibilities exist for analytics and reporting. | Unauthorized or insecure access to analytics tools and dashboards. | Role-based access control, multifactor authentication, and monitoring of analytics platforms. |
| K4-18.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Insights and Analytics | Assess whether tools and technologies used for analytics are secure, effective, and scalable. | Non-compliance with data privacy and regulatory requirements in analytics. | Privacy-by-design principles, anonymization, and compliance reviews (Health Insurance Portability and Accountability Act (HIPAA), Criminal Justice Information Services (CJIS)). |
| K4-19.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Insights and Analytics | Confirm compliance with privacy, regulatory, and contractual obligations in data analysis and reporting. | Overreliance on manual reporting processes leading to errors and inefficiency. | Automated dashboards and reporting tools with audit trails. |
| K4-20.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Insights and Analytics | Evaluate the effectiveness of monitoring, Key Performance Indicators (KPIs), and continuous improvement practices in analytics. | Inability to scale analytics platforms for big data or advanced use cases Artificial Intelligence/Machine Learning (AI/ML). | Cloud-based, scalable analytics platforms with performance monitoring. |
| K4-20.1.2 | K Information Technology | K4 - Data & Analytic Services / Data Insights and Analytics | Evaluate the effectiveness of monitoring, Key Performance Indicators (KPIs), and continuous improvement practices in analytics. | Lack of transparency or explainability in Artificial Intelligence/Machine Learning (AI/ML) driven insights. | Model governance framework, bias testing, and explainable Artificial Intelligence (AI) controls. |
| K4-20.1.3 | K Information Technology | K4 - Data & Analytic Services / Data Insights and Analytics | Evaluate the effectiveness of monitoring, Key Performance Indicators (KPIs), and continuous improvement practices in analytics. | Poor adoption of analytics by business users. | Training programs, user-friendly dashboards, and stakeholder engagement processes. |
| K4-21.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Development and Integration | Evaluate the effectiveness of data development and integration practices in supporting business requirements. | Inaccurate or incomplete data transfers. | Automated validation and reconciliation between source and target systems. |
| K4-22.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Development and Integration | Assess the accuracy, completeness, and timeliness of data flows between systems. | Lack of standardized data development practices. | Documented development and integration standards. |
| K4-23.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Development and Integration | Verify adherence to data development standards, including design, testing, and documentation. | Unauthorized changes to data pipelines. | Change management procedures and audit trails for integration tools. |
| K4-24.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Development and Integration | Ensure integration processes support data quality, security, and integrity. | Security vulnerabilities in data interfaces. | Secure Application Programming Interface (API) gateways, encryption, and access control mechanisms. |
| K4-25.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Development and Integration | Review governance of Application Programming Interfaces (APIs), Extract, Transform, Load (ETL) tools, and middleware technologies. | Poor performance or failed data jobs. | Monitoring and alerting for Extract Transform Load (ETL)/job failures and performance thresholds. |
| K4-26.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Development and Integration | Evaluate change control processes for data structures, pipelines, and integrations. | Data quality degradation during transformation. | Pre and post-transformation data quality checks. |
| K4-27.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Development and Integration | Assess risk and compliance considerations related to cross-system data movement and transformation. | Lack of documentation for integrations. | Centralized repository for integration mappings, workflows, and metadata. |
| K4-28.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Management | Evaluate the adequacy of data management policies, standards, and governance. | Inconsistent or incomplete data across systems. | Data quality rules and reconciliation processes. |
| K4-29.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Management | Assess the processes for ensuring data quality, accuracy, completeness, and consistency. | Unauthorized access to sensitive data. | Role-based access controls and data encryption. |
| K4-30.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Management | Verify controls over data lifecycle management, including creation, storage, use, sharing, archiving, and disposal. | Lack of ownership or accountability for data. | Defined data stewardship and data ownership roles. |
| K4-30.1.2 | K Information Technology | K4 - Data & Analytic Services / Data Management | Verify controls over data lifecycle management, including creation, storage, use, sharing, archiving, and disposal. | Data retention not aligned with legal or business needs. | Documented data lifecycle policies and automated retention tools. |
| K4-31.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Management | Assess security, privacy, and access controls over organizational data. | Data breaches due to poor governance. | Security policies, monitoring tools, and breach response plans. |
| K4-32.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Management | Review compliance with regulatory requirements related to data management. | Outdated or redundant data cluttering systems. | Data archiving and cleanup processes. |
| K4-33.1.1 | K Information Technology | K4 - Data & Analytic Services / Data Management | Evaluate monitoring and reporting mechanisms for data-related issues and metrics. | Non-compliance with data-related regulations. | Regular compliance audits and privacy assessments. |
| K4-34.1.1 | K Information Technology | K4 - Data & Analytic Services / Artificial Intelligence (IA) Strategy | Evaluate whether the organization has a formal Artificial Intelligence (AI) strategy aligned with enterprise goals. | Absence of a defined Artificial Intelligence (AI) strategy leading to fragmented initiatives. | Documented Artificial Intelligence (AI) strategy approved by leadership, integrated with enterprise strategy. |
| K4-35.1.1 | K Information Technology | K4 - Data & Analytic Services / Artificial Intelligence (IA) Strategy | Assess governance, roles, and accountability for Artificial Intelligence (AI) initiatives. | Misalignment of Artificial Intelligence (AI) initiatives with business goals. | Periodic reviews of Artificial Intelligence (AI) initiatives by governance committees with business stakeholders. |
| K4-36.1.1 | K Information Technology | K4 - Data & Analytic Services / Artificial Intelligence (IA) Strategy | Verify that Artificial Intelligence (AI) strategy incorporates ethical principles, transparency, and fairness. | Lack of governance, accountability, and ownership for Artificial Intelligence (AI) projects. | Artificial Intelligence (AI) governance framework with defined roles (e.g., Artificial Intelligence (AI) Ethics Officer, Data Stewards). |
| K4-36.1.2 | K Information Technology | K4 - Data & Analytic Services / Artificial Intelligence (IA) Strategy | Verify that Artificial Intelligence (AI) strategy incorporates ethical principles, transparency, and fairness. | Artificial Intelligence (AI) models biased or non-transparent, leading to reputational or legal risks. | Model governance, explainable Artificial Intelligence (AI), bias testing, and fairness audits. |
| K4-37.1.1 | K Information Technology | K4 - Data & Analytic Services / Artificial Intelligence (IA) Strategy | Determine whether data management practices support reliable and unbiased Artificial Intelligence (AI). | Poor quality or biased data feeding Artificial Intelligence (AI) systems. | Data quality monitoring, diverse datasets, and validation processes. |
| K4-38.1.1 | K Information Technology | K4 - Data & Analytic Services / Artificial Intelligence (IA) Strategy | Assess whether risk management processes identify, monitor, and mitigate Artificial Intelligence (AI) specific risks. | Non-compliance with Artificial Intelligence (AI) regulations. | Legal and compliance reviews, impact assessments, and documentation. |
| K4-39.1.1 | K Information Technology | K4 - Data & Analytic Services / Artificial Intelligence (IA) Strategy | Confirm compliance with regulatory, contractual, and ethical requirements for Artificial Intelligence (AI) use. | Security vulnerabilities in Artificial Intelligence (AI) models or data pipelines. | Secure development lifecycle, adversarial testing, and access controls. |
| K4-40.1.1 | K Information Technology | K4 - Data & Analytic Services / Artificial Intelligence (IA) Strategy | Evaluate scalability, innovation, and sustainability of the Artificial Intelligence (AI) roadmap. | Inability to scale Artificial Intelligence (AI) across the enterprise. | Artificial Intelligence (AI) strategy roadmap including cloud platforms, Machine Learning Operations (MLOps), and scalability planning. |
| K4-41.1.1 | K Information Technology | K4 - Data & Analytic Services / Artificial Intelligence (IA) Strategy | Review monitoring, Key Performance Indicators (KPIs), and continuous improvement processes for Artificial Intelligence (AI) performance. | Lack of performance monitoring and continuous learning for Artificial Intelligence (AI). | Key Performance Indicators (KPIs) (accuracy, fairness, Return on Investment (ROI)) and retraining processes for Artificial Intelligence (AI) models. |
| K5-1.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Talent Management | Evaluate the alignment of IT talent management with the organization’s strategic goals. | High turnover of skilled IT staff. | Competitive compensation, recognition programs, and career progression planning. |
| K5-2.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Talent Management | Assess the effectiveness of recruiting, developing, and retaining qualified IT personnel. | Gaps in critical IT skills or roles. | Regular skills assessments and training gap analysis. |
| K5-3.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Talent Management | Verify the existence of workforce planning and succession strategies for critical IT roles. | Unauthorized access due to ineffective offboarding. | Timely deprovisioning procedures and automated access removal. |
| K5-4.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Talent Management | Ensure onboarding and offboarding processes are consistently followed and controlled. | Inadequate onboarding leading to low productivity. | Standardized onboarding checklists and IT training schedules. |
| K5-5.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Talent Management | Review training, performance evaluation, and professional development practices for IT staff. | Non-compliance with HR and IT policies. | Periodic training, policy acknowledgment, and attestation processes. |
| K5-6.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Talent Management | Determine compliance with policies related to access control, ethics, and acceptable use. | No succession plan for key IT positions. | Documented succession plans and role redundancy. |
| K5-7.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Talent Management | Evaluate third-party/contractor IT personnel management controls. | Contractor roles not clearly defined or monitored. | Access controls and contractual clauses defining roles, responsibilities, and compliance requirements. |
| K5-8.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Strategy | Assess whether IT strategy is formally documented, approved, and aligned with enterprise business strategy. | IT strategy not defined or outdated. | Formal IT strategy document approved by executive management and board. |
| K5-9.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Strategy | Evaluate governance structures for IT strategic planning, oversight, and accountability. | IT strategy misaligned with business objectives. | Regular alignment reviews with business strategy and input from business leaders. |
| K5-10.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Strategy | Verify that IT investment decisions align with enterprise goals and deliver measurable value. | Lack of governance over IT strategic planning. | IT steering committee oversight, clear roles, and accountability. |
| K5-11.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Strategy | Ensure risk management is embedded in IT strategy to address emerging technologies, security, compliance, and operational risks. | Inadequate consideration of risk, compliance, or security in strategy. | Integration of enterprise risk management and regulatory requirements into IT strategy. |
| K5-12.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Strategy | Assess whether IT strategic performance is measured, monitored, and reported to stakeholders. | IT investments fail to deliver value or Return on Investment (ROI). | Formal investment appraisal, prioritization, and benefits realization framework. |
| K5-13.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Strategy | Evaluate adaptability of IT strategy to business change, innovation, and digital transformation initiatives. | Strategy not flexible to address innovation, cloud, or digital transformation. | Periodic reviews and updates to IT strategy considering new technologies. |
| K5-14.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Strategy | Evaluate adaptability of IT strategy to business change, innovation, and digital transformation initiatives. | Lack of performance monitoring for IT strategy outcomes. | Key Performance Indicators (KPIs), scorecards, and regular reporting to leadership. |
| K5-15.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Strategy | Confirm stakeholder engagement and communication in the IT strategic planning process. | Poor communication or stakeholder engagement in IT strategy. | Stakeholder consultation processes, strategy workshops, and transparent communication. |
| K5-16.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Business Value Maximization | Assess whether IT initiatives are aligned with enterprise objectives to maximize business value. | IT initiatives do not align with business goals. | Formal IT-business alignment framework, strategic reviews, and involvement of business leaders in IT planning. |
| K5-17.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Business Value Maximization | Verify that processes exist to prioritize IT investments based on Return on Investment (ROI), risk, and strategic importance. | IT investments are not prioritized effectively, leading to wasted resources. | Investment governance processes, business case requirements, and Return on Investment (ROI) based prioritization. |
| K5-18.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Business Value Maximization | Evaluate whether benefits realization practices are in place to measure and deliver expected business outcomes. | Expected business benefits from IT initiatives are not realized. | Benefits realization management framework, tracking mechanisms, and post-implementation reviews. |
| K5-19.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Business Value Maximization | Determine if IT performance metrics and Key Performance Indicators (KPIs) reflect value contribution to the business. | Lack of measurable performance indicators to demonstrate business value. | Defined KPIs and balanced scorecards linking IT performance to business outcomes. |
| K5-20.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Business Value Maximization | Assess governance and accountability structures for monitoring business value delivery. | Poor governance over business value delivery. | Oversight by IT steering committees, executive sponsorship, and accountability frameworks. |
| K5-21.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Business Value Maximization | Confirm continuous improvement mechanisms exist to optimize IT value creation. | Stakeholder needs and value expectations not captured. | Stakeholder consultation, feedback mechanisms, and periodic alignment workshops. |
| K5-22.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Business Value Maximization | Ensure stakeholder engagement in defining and measuring business value. | No continuous improvement in value realization processes. | Regular strategy refresh cycles, lessons learned reviews, and optimization initiatives. |
| K5-23.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Vendor Portfolio Management | Evaluate whether the organization has a structured vendor portfolio management framework in place. | Lack of formal vendor portfolio management leads to inconsistent practices. | Documented vendor management policies and procedures, approved by management. |
| K5-24.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Vendor Portfolio Management | Assess the process for selecting, onboarding, and classifying vendors based on criticality and risk. | Inadequate vendor due diligence results in high-risk or unqualified vendors. | Standardized vendor risk assessments (financial, security, compliance, reputational). |
| K5-25.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Vendor Portfolio Management | Assess the process for selecting, onboarding, and classifying vendors based on criticality and risk. | No vendor classification, leading to ineffective resource allocation. | Vendors categorized by criticality, risk, and service dependency. |
| K5-26.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Vendor Portfolio Management | Verify that vendor performance is monitored and aligned with contractual and strategic objectives. | Contracts do not include adequate performance or compliance terms. | Standard contract templates with defined Service-Level Agreements (SLAs), security clauses, and penalties. |
| K5-27.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Vendor Portfolio Management | Determine whether vendor risks (financial, operational, cybersecurity, compliance) are identified, assessed, and mitigated. | Vendor performance not monitored, leading to poor service delivery. | Regular vendor performance reviews, Key Performance Indicators/Service-Level Agreement (KPI/SLA) dashboards, and escalation processes. |
| K5-28.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Vendor Portfolio Management | Assess whether contracts, Service-Level Agreements (SLAs), and performance metrics are consistently defined, documented, and enforced. | Vendor related risks (cybersecurity, financial stability, compliance) are not managed. | Ongoing monitoring of vendor risks, third-party audits, and continuous due diligence. |
| K5-29.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Vendor Portfolio Management | Confirm that vendor exit strategies and transition plans exist for critical providers. | Over-reliance on a small set of vendors introduces concentration risk. | Portfolio diversification strategies and contingency plans. |
| K5-29.1.2 | K Information Technology | K5 - Business, Strategy, & Planning / Vendor Portfolio Management | Confirm that vendor exit strategies and transition plans exist for critical providers. | Lack of exit/transition strategy results in service disruption. | Documented vendor exit and transition plans for critical services. |
| K5-30.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Vendor Portfolio Management | Review whether governance and reporting mechanisms exist to provide transparency over vendor portfolio health. | Insufficient governance and reporting over vendor portfolio. | Vendor management committees, executive reporting, and periodic reviews. |
| K5-31.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Vendor Performance Management | Evaluate whether vendor performance management processes are formally defined, documented, and implemented. | Lack of defined vendor performance framework leads to inconsistent monitoring. | Documented vendor performance management policy, approved by management. |
| K5-32.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Vendor Performance Management | Assess whether vendor contracts and Service-Level Agreements (SLAs) include clear and measurable performance metrics. | Performance metrics are not aligned to business needs or critical outcomes. | Contracts and Service-Level Agreements (SLAs) include Specific Measurable Achievable Relevant Timebound (SMART) Key Performance Indicators (KPIs) aligned to business objectives. |
| K5-33.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Vendor Performance Management | Verify whether performance monitoring is consistently performed and results are tracked. | Vendor performance data is inaccurate or incomplete. | Centralized performance reporting system with validation checks. |
| K5-34.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Vendor Performance Management | Ensure escalation procedures are in place for addressing underperforming vendors. | Poor vendor performance not detected or escalated. | Regular vendor reviews with escalation processes for underperformance. |
| K5-35.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Vendor Performance Management | Confirm that performance reviews feed into vendor portfolio decisions (renewals, termination, or renegotiation). | Over-reliance on self-reported vendor data. | Independent verification of vendor reports (audits, third-party assessments). |
| K5-36.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Vendor Performance Management | Determine whether governance bodies receive timely and accurate reporting on vendor performance. | Failure to address chronic underperformance. | Corrective action plans and structured remediation follow-up. |
| K5-37.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Vendor Performance Management | Assess alignment of vendor performance with organizational strategy, regulatory requirements, and risk appetite. | No integration of performance results into contract renewals or sourcing decisions. | Governance framework requiring performance review before contract renewal. |
| K5-37.1.2 | K Information Technology | K5 - Business, Strategy, & Planning / Vendor Performance Management | Assess alignment of vendor performance with organizational strategy, regulatory requirements, and risk appetite. | Lack of transparency for leadership and stakeholders. | Periodic performance dashboards and governance committee reporting. |
| K5-38.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Financial Management | Evaluate the effectiveness of IT financial planning and budgeting processes. | Budget overruns and inaccurate forecasts. | Formal budgeting processes, variance analysis, and periodic reviews. |
| K5-39.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Financial Management | Verify the accuracy, transparency, and accountability of IT financial reporting. | Misallocation of IT costs to departments or projects. | Clear cost allocation models and tracking tools. |
| K5-40.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Financial Management | Assess whether IT investments align with organizational goals and deliver value. | Overspending on low-value IT initiatives. | Business case evaluations and IT investment governance. |
| K5-41.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Financial Management | Determine whether IT costs are properly allocated and monitored. | Lack of visibility into IT spending. | Regular IT financial reporting and dashboards. |
| K5-42.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Financial Management | Ensure compliance with financial policies, procurement guidelines, and regulatory requirements. | Non-compliance with procurement policies. | Standard procurement workflows and approval hierarchies. |
| K5-43.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Financial Management | Assess controls over IT vendor management, licensing, and contract compliance. | Licensing violations or over-purchasing. | License tracking tools and periodic license reviews. |
| K5-43.1.2 | K Information Technology | K5 - Business, Strategy, & Planning / IT Financial Management | Assess controls over IT vendor management, licensing, and contract compliance. | Contractual non-compliance with IT vendors. | Vendor management processes and contract review checkpoints. |
| K5-44.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Resource Optimization | Assess whether IT resources (people, technology, financials, assets) are aligned with business priorities and strategic objectives. | IT resources are misaligned with business strategy. | Strategic resource planning framework aligned with business goals. |
| K5-45.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Resource Optimization | Verify that resource allocation and utilization are efficient, transparent, and optimized. | Lack of visibility into resource utilization leads to waste or inefficiencies. | Centralized resource management system with utilization dashboards. |
| K5-45.1.2 | K Information Technology | K5 - Business, Strategy, & Planning / Resource Optimization | Verify that resource allocation and utilization are efficient, transparent, and optimized. | Over-provisioning or under-provisioning of IT resources. | Capacity planning and demand forecasting processes. |
| K5-45.1.3 | K Information Technology | K5 - Business, Strategy, & Planning / Resource Optimization | Verify that resource allocation and utilization are efficient, transparent, and optimized. | Duplication of effort or redundant systems/tools. | Governance over technology acquisition and periodic portfolio rationalization. |
| K5-46.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Resource Optimization | Determine whether resource demand planning and forecasting are accurate and support business needs. | Poor workforce allocation or skills mismatch. | Workforce planning, training programs, and skill gap analysis. |
| K5-47.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Resource Optimization | Evaluate monitoring and reporting mechanisms for tracking resource usage, productivity, and efficiency. | Budget overruns due to inefficient resource allocation. | Cost monitoring, optimization reviews, and approval controls for expenditures. |
| K5-48.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Resource Optimization | Assess whether governance exists to prevent underutilization, waste, or duplication of IT resources. | Lack of accountability for resource ownership. | Clear ownership and accountability defined for resource management. |
| K5-49.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Resource Optimization | Confirm that resource optimization initiatives are continuously improved and aligned with cost management practices. | No mechanism for continuous improvement in resource usage. | Regular reviews of utilization, benchmarking, and improvement initiatives. |
| K5-50.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Portfolio Management | Verify that IT portfolio management processes align IT investments with organizational strategy and business priorities. | IT portfolio misaligned with business strategy. | Formal IT portfolio governance framework aligned with organizational objectives. |
| K5-51.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Portfolio Management | Assess whether IT projects, applications, and services within the portfolio are evaluated consistently based on risk, value, cost, and performance. | Lack of prioritization results in misallocation of resources. | Standardized portfolio prioritization criteria (value, risk, cost, compliance). |
| K5-52.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Portfolio Management | Confirm that there is effective governance over portfolio decision-making (approval, prioritization, and decommissioning). | Ineffective investment decisions lead to waste or redundant projects. | Portfolio review board with approval/validation checkpoints. |
| K5-53.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Portfolio Management | Determine whether portfolio performance is monitored through Key Performance Indicators (KPIs), dashboards, and reporting. | Poor visibility into costs and benefits of IT investments. | Centralized portfolio management tool with cost-benefit tracking. |
| K5-54.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Portfolio Management | Assess whether the organization periodically reviews the portfolio to optimize costs, reduce redundancy, and retire low-value initiatives. | Failure to retire low-value or obsolete applications/projects. | Formal decommissioning and rationalization process. |
| K5-55.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Portfolio Management | Evaluate whether risk management practices are integrated into portfolio decisions. | Risks within portfolio projects not considered during decision-making. | Risk assessment incorporated into portfolio evaluations. |
| K5-56.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Portfolio Management | Ensure IT portfolio transparency for stakeholders through consistent reporting and communication. | Limited transparency for executives and stakeholders. | Periodic reporting on portfolio health, value realization, and risks. |
| K5-57.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / IT Portfolio Management | Ensure IT portfolio transparency for stakeholders through consistent reporting and communication. | Portfolio performance metrics not tracked or reviewed. | Key Performance Indicators (KPIs), dashboards, and periodic reviews at governance meetings. |
| K5-58.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Project Management | Evaluate the effectiveness of the organization’s project management framework and methodologies. | Projects exceed budgets or timelines. | Formal project budgeting, scheduling, and variance reporting processes. |
| K5-59.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Project Management | Assess alignment between IT projects and business objectives or strategic goals. | Inadequate planning or unclear objectives. | Use of standardized project charters, defined scope, and stakeholder input. |
| K5-60.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Project Management | Verify adherence to project governance, approvals, and oversight mechanisms. | Scope creep or unmanaged changes. | Documented change control procedures with approval workflows. |
| K5-61.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Project Management | Review the adequacy of project planning, budgeting, and resource allocation processes. | Misalignment with business priorities. | Project prioritization criteria tied to strategic objectives. |
| K5-62.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Project Management | Determine whether project risks, issues, and scope changes are managed effectively. | Lack of accountability or oversight. | Governance committees and executive sponsors assigned to projects. |
| K5-63.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Project Management | Assess the management of vendors and contractors involved in IT projects. | Poor stakeholder communication. | Defined communication plans and periodic stakeholder updates. |
| K5-64.1.1 | K Information Technology | K5 - Business, Strategy, & Planning / Project Management | Ensure projects are closed properly with documented outcomes, lessons learned, and benefit realization. | Project failure due to skill/resource gaps. | Resource allocation planning and staff capability assessments. |
| K5-64.1.2 | K Information Technology | K5 - Business, Strategy, & Planning / Project Management | Ensure projects are closed properly with documented outcomes, lessons learned, and benefit realization. | Incomplete project closure and missing lessons learned. | Post-implementation reviews and knowledge management documentation. |
| K6-1.1.1 | K Information Technology | K6 - Strategy & Governance / IT Governance | Evaluate the effectiveness of the IT governance framework in aligning IT with business objectives. | Misalignment between IT and business strategy. | Established and documented IT governance framework aligned with business goals. |
| K6-2.1.1 | K Information Technology | K6 - Strategy & Governance / IT Governance | Assess the oversight provided by executive leadership and governing bodies (e.g., IT Steering Committee). | Lack of strategic oversight and accountability. | IT Steering Committee with defined roles, regular meetings, and minutes. |
| K6-3.1.1 | K Information Technology | K6 - Strategy & Governance / IT Governance | Determine whether IT strategies, policies, and procedures are current, approved, and aligned with organizational goals. | Outdated or poorly defined IT policies. | Periodic review and approval process for IT policies and strategies. |
| K6-4.1.1 | K Information Technology | K6 - Strategy & Governance / IT Governance | Verify whether performance metrics are established and monitored to measure IT value and risk. | Inadequate measurement of IT performance. | Defined Key Performance Indicators (KPIs) and regular IT performance reporting to executive leadership. |
| K6-5.1.1 | K Information Technology | K6 - Strategy & Governance / IT Governance | Assess the risk management framework supporting IT decision-making. | Unmanaged IT risks. | Integration of IT risk management into the overall Enterprise Risk Management (ERM) framework. |
| K6-6.1.1 | K Information Technology | K6 - Strategy & Governance / IT Governance | Review stakeholder involvement in IT planning and decision processes. | Limited stakeholder involvement in IT planning. | Formal stakeholder engagement processes and feedback loops. |
| K6-7.1.1 | K Information Technology | K6 - Strategy & Governance / IT Governance | Ensure that compliance, accountability, and ethical considerations are embedded into IT governance. | Non-compliance with laws or ethical standards. | Governance controls ensuring compliance, ethics, and audit readiness. |
| K6-8.1.1 | K Information Technology | K6 - Strategy & Governance / Leadership, Culture, & Values | Evaluate how leadership sets and communicates the organization’s culture and core values. | Lack of visible support from leadership for ethical conduct. | Executive sponsorship of ethics programs and visible role modeling. |
| K6-9.1.1 | K Information Technology | K6 - Strategy & Governance / Leadership, Culture, & Values | Assess the alignment of IT operations and decisions with the organization’s mission and ethical standards. | Misalignment between stated values and actual behaviors. | Periodic culture assessments and alignment reviews. |
| K6-10.1.1 | K Information Technology | K6 - Strategy & Governance / Leadership, Culture, & Values | Verify that governance structures support ethical behavior, accountability, and transparency. | Unclear expectations for acceptable behavior. | Published code of conduct and organizational values with regular training. |
| K6-10.1.2 | K Information Technology | K6 - Strategy & Governance / Leadership, Culture, & Values | Verify that governance structures support ethical behavior, accountability, and transparency. | Lack of accountability or inconsistent disciplinary actions. | Whistleblower protections and disciplinary procedures for ethical breaches. |
| K6-11.1.1 | K Information Technology | K6 - Strategy & Governance / Leadership, Culture, & Values | Determine the effectiveness of communication channels between leadership and staff. | Ineffective communication of vision, mission, and goals. | Town halls, internal newsletters, and digital platforms for engagement. |
| K6-12.1.1 | K Information Technology | K6 - Strategy & Governance / Leadership, Culture, & Values | Review mechanisms for reinforcing desired behaviors and correcting cultural misalignments. | Employees fear retaliation for reporting unethical behavior. | Anonymous reporting mechanisms and non-retaliation policies. |
| K6-13.1.1 | K Information Technology | K6 - Strategy & Governance / Leadership, Culture, & Values | Ensure that ethical considerations and values are integrated into IT strategy, operations, and performance management. | Ethics and culture not integrated into IT decision-making. | Ethical impact assessments in IT governance processes. |
| K6-14.1.1 | K Information Technology | K6 - Strategy & Governance / IT Organizational Structure | Evaluate whether the IT organizational structure supports the organization’s strategic objectives. | Unclear or overlapping responsibilities in the IT department. | Documented roles and responsibilities with updated job descriptions. |
| K6-14.1.2 | K Information Technology | K6 - Strategy & Governance / IT Organizational Structure | Evaluate whether the IT organizational structure supports the organization’s strategic objectives. | Poor alignment between IT and business strategy. | Regular strategic planning sessions between IT and business leaders. |
| K6-15.1.1 | K Information Technology | K6 - Strategy & Governance / IT Organizational Structure | Assess clarity in roles, responsibilities, and reporting lines within the IT function. | Lack of accountability for IT performance. | Defined Key Performance Indicators (KPIs) and reporting structures for IT functions. |
| K6-16.1.1 | K Information Technology | K6 - Strategy & Governance / IT Organizational Structure | Determine if IT leadership and staff have appropriate qualifications, skills, and resources. | Ineffective communication across IT teams. | Formalized communication channels and collaboration tools. |
| K6-17.1.1 | K Information Technology | K6 - Strategy & Governance / IT Organizational Structure | Review alignment between IT and business units for service delivery and accountability. | Segregation of duties conflicts. | Segregation of Duties (SODs) matrix and periodic access reviews for key IT roles. |
| K6-18.1.1 | K Information Technology | K6 - Strategy & Governance / IT Organizational Structure | Ensure segregation of duties is maintained for critical IT functions. | Inadequate skills and staffing levels. | Ongoing training programs and workforce planning. |
| K6-19.1.1 | K Information Technology | K6 - Strategy & Governance / IT Organizational Structure | Verify that the structure facilitates innovation, compliance, and operational effectiveness. | Over-centralization or under-utilization of IT resources. | Balanced organizational model (centralized, decentralized, or hybrid) aligned with business needs. |
| K6-20.1.1 | K Information Technology | K6 - Strategy & Governance / Knowledge Management | Evaluate the effectiveness of the organization's Knowledge Management (KM) strategy and framework. | Loss of critical knowledge during staff turnover. | Formal knowledge transfer and documentation processes. |
| K6-21.1.1 | K Information Technology | K6 - Strategy & Governance / Knowledge Management | Assess whether critical knowledge assets are identified, documented, and accessible. | Inconsistent documentation of procedures or solutions. | Standard templates and mandatory documentation requirements. |
| K6-22.1.1. | K Information Technology | K6 - Strategy & Governance / Knowledge Management | Determine if knowledge is consistently captured, updated, and shared across IT and business units. | Knowledge not easily accessible to users who need it. | Centralized knowledge repositories with user access management. |
| K6-23.1.1 | K Information Technology | K6 - Strategy & Governance / Knowledge Management | Review controls in place to protect the integrity and confidentiality of knowledge assets. | Outdated or inaccurate information in knowledge bases. | Periodic review and validation schedules for knowledge assets. |
| K6-24.1.1 | K Information Technology | K6 - Strategy & Governance / Knowledge Management | Verify the integration of knowledge management into IT processes such as incident resolution, onboarding, and project delivery. | Duplication of effort due to lack of shared knowledge. | Collaboration tools and internal knowledge-sharing forums. |
| K6-25.1.1 | K Information Technology | K6 - Strategy & Governance / Knowledge Management | Ensure knowledge retention during staff turnover or transitions. | Security breaches due to exposed sensitive knowledge. | Access controls and classification for confidential knowledge assets. |
| K6-26.1.1 | K Information Technology | K6 - Strategy & Governance / Knowledge Management | Ensure knowledge retention during staff turnover or transitions. | Lack of incentives for knowledge sharing. | Performance metrics or recognition programs for knowledge contributors. |
| K6-27.1.1 | K Information Technology | K6 - Strategy & Governance / Performance Management | Evaluate the effectiveness of IT performance management processes. | Lack of alignment between IT performance and business goals. | Defined Key Performance Indicators (KPIs) linked to strategic objectives. |
| K6-28.1.1 | K Information Technology | K6 - Strategy & Governance / Performance Management | Verify that Key Performance Indicators (KPIs) are defined, aligned with business goals, and regularly monitored. | Inaccurate or untimely performance data. | Automated data collection and validation processes. |
| K6-29.1.1 | K Information Technology | K6 - Strategy & Governance / Performance Management | Assess whether IT services and initiatives deliver expected value and outcomes. | Inadequate monitoring and reporting of IT performance. | Regular performance dashboards and management reports. |
| K6-30.1.1 | K Information Technology | K6 - Strategy & Governance / Performance Management | Determine if performance data is accurate, timely, and used for decision-making. | Performance issues not being addressed. | Issue tracking system with escalation and resolution workflows. |
| K6-31.1.1 | K Information Technology | K6 - Strategy & Governance / Performance Management | Evaluate processes for reporting, analyzing, and acting on IT performance metrics. | Decisions made on incomplete or outdated performance insights. | Real-time or periodic review of up-to-date metrics. |
| K6-32.1.1 | K Information Technology | K6 - Strategy & Governance / Performance Management | Ensure performance issues are identified, tracked, and addressed in a timely manner. | Stakeholders unaware of IT performance status. | Routine communication of IT performance to stakeholders. |
| K6-32.1.2 | K Information Technology | K6 - Strategy & Governance / Performance Management | Ensure performance issues are identified, tracked, and addressed in a timely manner. | Inconsistent performance assessment across departments. | Standardized performance management framework and reporting templates. |
| K6-33.1.1 | K Information Technology | K6 - Strategy & Governance / IT Management and Policies | Assess the adequacy and effectiveness of the IT management framework. | Lack of formal IT management structure. | Defined IT governance framework with assigned roles and responsibilities. |
| K6-34.1.1 | K Information Technology | K6 - Strategy & Governance / IT Management and Policies | Verify the existence, approval, communication, and periodic review of IT policies and procedures. | Outdated or missing IT policies. | Periodic policy review and update schedule with responsible owners. |
| K6-35.1.1 | K Information Technology | K6 - Strategy & Governance / IT Management and Policies | Ensure IT management practices align with business strategies, compliance, and risk requirements. | IT practices not aligned with business goals. | IT strategic planning aligned with business strategy and objectives. |
| K6-36.1.1 | K Information Technology | K6 - Strategy & Governance / IT Management and Policies | Evaluate the accountability and governance structure over IT operations. | Policies not communicated to relevant stakeholders. | Policy distribution mechanisms and acknowledgment tracking. |
| K6-37.1.1 | K Information Technology | K6 - Strategy & Governance / IT Management and Policies | Review processes for policy enforcement and exception management. | Inconsistent enforcement of IT policies. | Monitoring tools, access controls, and enforcement procedures. |
| K6-37.1.2 | K Information Technology | K6 - Strategy & Governance / IT Management and Policies | Review processes for policy enforcement and exception management. | Policy exceptions not documented or approved. | Formal exception request and approval workflow. |
| K6-38.1.1 | K Information Technology | K6 - Strategy & Governance / IT Management and Policies | Determine whether IT policies support security, availability, continuity, and integrity of services. | Non-compliance with legal or regulatory requirements. | Policies mapped to applicable standards and legal requirements. |
| K6-39.1.1 | K Information Technology | K6 - Strategy & Governance / Quality Management | Evaluate the effectiveness of the IT quality management framework and its alignment with business objectives. | Inconsistent service or product quality. | Documented quality standards and Quality Assurance (QA) checklists for IT deliverables. |
| K6-40.1.1 | K Information Technology | K6 - Strategy & Governance / Quality Management | Assess whether quality policies, standards, and procedures are defined, documented, and enforced. | Lack of visibility into quality performance. | Quality metrics and dashboards with regular reporting. |
| K6-41.1.1 | K Information Technology | K6 - Strategy & Governance / Quality Management | Review how quality is measured, monitored, and reported across IT processes and services. | Failure to detect and resolve recurring issues. | Root cause analysis and problem management processes. |
| K6-42.1.1 | K Information Technology | K6 - Strategy & Governance / Quality Management | Determine the adequacy of mechanisms for identifying and correcting quality issues. | Limited staff understanding of quality expectations. | Ongoing training and communication of quality standards. |
| K6-43.1.1 | K Information Technology | K6 - Strategy & Governance / Quality Management | Verify integration of continuous improvement practices into IT operations and project delivery. | No formal process for continuous improvement. | Continuous improvement framework with lessons learned reviews. |
| K6-43.1.2 | K Information Technology | K6 - Strategy & Governance / Quality Management | Verify integration of continuous improvement practices into IT operations and project delivery. | Customer dissatisfaction due to poor IT service quality. | Customer feedback loops and satisfaction surveys. |
| K6-44.1.1 | K Information Technology | K6 - Strategy & Governance / Quality Management | Assess training and awareness efforts to promote a culture of quality within IT. | Project or service delivery delays due to quality failures. | Stage gates and quality assurance reviews at key milestones. |
| K6-45.1.1 | K Information Technology | K6 - Strategy & Governance / Organizational Change Management | Evaluate the effectiveness of Organizational Change Management (OCM) processes. | Lack of alignment between change initiatives and business strategy. | Formal change strategy development and review process involving key business stakeholders. |
| K6-46.1.1 | K Information Technology | K6 - Strategy & Governance / Organizational Change Management | Ensure change initiatives are aligned with strategic goals and communicated effectively. | Inadequate communication leading to resistance or confusion. | Comprehensive communication plan tailored to affected audiences and monitored for effectiveness. |
| K6-47.1.1 | K Information Technology | K6 - Strategy & Governance / Organizational Change Management | Assess the adequacy of stakeholder engagement and training programs. | Insufficient stakeholder involvement and buy-in. | Engagement of stakeholders in the change process, with regular feedback loops and inclusive decision-making. |
| K6-48.1.1 | K Information Technology | K6 - Strategy & Governance / Organizational Change Management | Verify that risks related to organizational change are identified, assessed, and mitigated. | Employees not adequately trained to adopt new processes or tools. | Structured training programs with pre- and post-training evaluations and follow-up support. |
| K6-49.1.1 | K Information Technology | K6 - Strategy & Governance / Organizational Change Management | Verify that risks related to organizational change are identified, assessed, and mitigated. | Change fatigue and reduced employee morale. | Change impact assessments, proper pacing of initiatives, and recognition of employee contributions. |
| K6-50.1.1 | K Information Technology | K6 - Strategy & Governance / Organizational Change Management | Verify that risks related to organizational change are identified, assessed, and mitigated. | Inability to measure the success of change initiatives. | Defined success metrics, Key Performance Indicators (KPIs), and post-implementation reviews or audits. |
| L1-1.1.1 | L - General Physical and Logical Security | L1 - Physical and Logical Security | County information is retained and disclosed in accordance with County policies and procedures. | County information is used for non-governmental purposes; the County fails to protect personally identifiable information (PII). | Information is safeguarded through physical access restrictions. Restrictions include: badge only access, locked files & locked storage rooms, security cameras and security officers. |
| L1-1.1.2 | L - General Physical and Logical Security | L1 - Physical and Logical Security | County information is retained and disclosed in accordance with County policies and procedures. | County information is used for non-governmental purposes; the County fails to protect PII. | Information is safeguarded through logical (system) access restrictions. Restrictions include password protection, screen saver use, and administrator rights control. |
| L1-1.2.1 | L - General Physical and Logical Security | L1 - Physical and Logical Security | County information is retained and disclosed in accordance with County policies and procedures. | Confidential information may be inadvertently disclosed. | Document distribution is controlled and all appropriate documents are clearly labeled 'CONFIDENTIAL'. |
| L1-1.3.1 | L - General Physical and Logical Security | L1 - Physical and Logical Security | County information is retained and disclosed in accordance with County policies and procedures. | Lack of adherence to policies may result in loss of proprietary information / data or confidential information being inadvertently revealed. | The County's policies, such as records retention, are comprehensive and effectively communicated. |
| L1-1.3.2 | L - General Physical and Logical Security | L1 - Physical and Logical Security | County information is retained and disclosed in accordance with County policies and procedures. | Lack of adherence to policies may result in loss of proprietary information / data or confidential information being inadvertently revealed. | Confidential County information is identified as such, including financial and technical information, County objectives, strategies, forecasts, etc. |
| L1-1.3.3 | L - General Physical and Logical Security | L1 - Physical and Logical Security | County information is retained and disclosed in accordance with County policies and procedures. | Lack of adherence to policies may result in loss of proprietary information / data or confidential information being inadvertently revealed. | Confidential County Information is shared externally only when an executed Confidentiality Disclosure Agreement (CDA) OR Non-Disclosure Agreement (NDA) is in place. |
| L1-1.3.4 | L - General Physical and Logical Security | L1 - Physical and Logical Security | County information is retained and disclosed in accordance with County policies and procedures. | Lack of adherence to policies may result in loss of proprietary information / data or confidential information being inadvertently revealed. | When agreements are terminated, a process is in place to retrieve County Confidential information and/or to return Confidential information to the external party. |
| L1-1.3.5 | L - General Physical and Logical Security | L1 - Physical and Logical Security | County information is retained and disclosed in accordance with County policies and procedures. | Lack of adherence to policies may result in loss of proprietary information / data or confidential information being inadvertently revealed. | County publication and external communication clearance policies and procedures are adhered to. |
| L1-1.3.6 | L - General Physical and Logical Security | L1 - Physical and Logical Security | County information is retained and disclosed in accordance with County policies and procedures. | Lack of adherence to policies may result in loss of proprietary information / data or confidential information being inadvertently revealed. | Technical information is classified and protected according to County IS Sensitivity Classifications. |
| L1-1.3.7 | L - General Physical and Logical Security | L1 - Physical and Logical Security | County information is retained and disclosed in accordance with County policies and procedures. | Lack of adherence to policies may result in loss of proprietary information / data or confidential information being inadvertently revealed. | Use of County logos by employees and authorized external parties is approved and conforms with recommended practices. |
| L1-1.3.8 | L - General Physical and Logical Security | L1 - Physical and Logical Security | County information is retained and disclosed in accordance with County policies and procedures. | Lack of adherence to policies may result in loss of proprietary information / data or confidential information being inadvertently revealed. | Communication of any potential loss or misappropriation of proprietary property follows the County's policies. |
| L1-1.3.9 | L - General Physical and Logical Security | L1 - Physical and Logical Security | County information is retained and disclosed in accordance with County policies and procedures. | Lack of adherence to policies may result in loss of proprietary information / data or confidential information being inadvertently revealed. | Participation in any social networking activities follows County policy (see section on Social Media). |
| L1-2.1.1 | L - General Physical and Logical Security | L1 - Physical and Logical Security | Transactions are carried out in accordance with County and Delegation of Authority policies. | Transactions may not have the necessary corporate authorizations; fraud or irregularities could go undetected. | Powers of attorney are reviewed periodically and updated or removed when employees change positions or leave the County. |
| L1-3.1.1 | L - General Physical and Logical Security | L1 - Physical and Logical Security | Adequate procedures for contingency planning, business continuity and safeguarding of assets exist. | Assets may not be properly safeguarded. | Crisis management plans are documented, communicated, maintained and periodically tested. |
| L1-3.1.2 | L - General Physical and Logical Security | L1 - Physical and Logical Security | Adequate procedures for contingency planning, business continuity and safeguarding of assets exist. | Assets may not be properly safeguarded. | Valuable assets, including intellectual assets and information technology, are protected from unauthorized access or use. |
| L1-3.1.3 | L - General Physical and Logical Security | L1 - Physical and Logical Security | Adequate procedures for contingency planning, business continuity and safeguarding of assets exist. | Assets may not be properly safeguarded. | Packages, briefcases, etc., removed from County facilities are subject to inspection by security personnel according to site security procedures. |
| L1-4.1.1 | L - General Physical and Logical Security | L1 - Physical and Logical Security | Entrance to County Facilities is restricted as appropriate. | Unauthorized individuals may gain access to County facilities. | Only authorized persons receive badges or other devices that allow access to County facilities. |
| L1-4.1.2 | L - General Physical and Logical Security | L1 - Physical and Logical Security | Entrance to County Facilities is restricted as appropriate. | Unauthorized individuals may gain access to County facilities. | Access to facilities is based on job and need. |
| L1-4.1.3 | L - General Physical and Logical Security | L1 - Physical and Logical Security | Entrance to County Facilities is restricted as appropriate. | Unauthorized individuals may gain access to County facilities. | Security personnel monitor activity in high risk areas. Monitoring may be in person or by security device (cameras). |
| M1-1.1.1 | M - Grants | M1 - Grants and Programs | Grants are identified and applications are submitted. | Grant funds may go unawarded to the County. | Departmental Management actively identifies applicable grants and programs. |
| M1-1.1.2 | M - Grants | M1 - Grants and Programs | Grants are identified and applications are submitted. | Grant funds may go unawarded to the County. | Grant application requirements are identified; grant applications are completed and submitted timely. |
| M1-1.1.3 | M - Grants | M1 - Grants and Programs | Grants are identified and applications are submitted. | Grant funds may go unawarded to the County. | Proposals, expenditures and other required documentation (e.g., indirect cost allocation) are compiled and available for review. |
| M1-2.1.1 | M - Grants | M1 - Grants and Programs | Grant requirements are documented and compliance is monitored. | Funds may be withdrawn and repayment to the programs (e.g., Federal Government) or grantor may be required if there has not been compliance. | Departmental Management has a detailed understanding of identified programs and grants, and the associated compliance requirements. This understanding is adequately documented. |
| M1-2.1.2 | M - Grants | M1 - Grants and Programs | Grant requirements are documented and compliance is monitored. | Funds may be withdrawn and repayment to the programs (e.g., Federal Government) or grantor may be required if there has not been compliance. | Grants and Programs are managed and protected; restrictive clauses are periodically reviewed. Compliance with program accounting & managing practices are met; controls and compliance are documented. |
| M1-3.1.1 | M - Grants | M1 - Grants and Programs | Grants are accepted by the Board or their designee; grants are also appropriated by the Board. | The County does not comply with State law. | Grants and Programs are presented to and accepted by the Board of Commissioners. |
| N1-1.1.1 | N - Budgets | N1 - County Budget | Budgets are established for each fiscal period. | Unapproved expenditures may occur. Insufficient funds may exist to pay for procured goods and services. | Budgets are prepared for each fiscal period. See G.S. 159-13. |
| N1-2.1.1 | N - Budgets | N1 - County Budget | Budgets are based upon prior budgets, reasonable, documented assumptions and/or estimations. | Funds may be insufficient to pay for procured goods and services and/or funds may go unused. | Budgets are based on reasonable, documented assumptions and estimations. |
| N1-2.1.2 | N - Budgets | N1 - County Budget | Budgets are based upon prior budgets, reasonable, documented assumptions and/or estimations. | Funds may be insufficient to pay for procured goods and services and/or funds may go unused. | The Budget process follows the Local Government Budget and Fiscal Control Act (GS159, Article 3) as follows: - April 30 - Department Request Due - June 1 - Board of Commissioners receive recommended budget - June 30 - Board of Commissioners must adopt annual budget; a public hearing must be advertised and held when the budget is presented to the Board of Commissioners. |
| N1-3.1.1 | N - Budgets | N1 - County Budget | Budget ordinances are passed / approved by legal authority (Board of Commissioners). | Unapproved expenditures may occur. | Budget ordinances are passed / approved by legal authority (Board of Commissioners) |
| N1-3.1.2 | N - Budgets | N1 - County Budget | Budget ordinances are passed / approved by legal authority (Board of Commissioners). | Unapproved expenditures may occur. | The Budget must be balanced (the sum of estimated net revenues plus appropriated fund balance equals appropriations); Local Government Budget and Fiscal Control Act (GS159, 8). |
| N1-4.1.1 | N - Budgets | N1 - County Budget | Budgets are properly set up and managed. | Budgets may not comply with laws and regulations. Budgets may not adequately fund nor control County operations. | Appropriations should be by function, department, or project |
| N1-4.1.2 | N - Budgets | N1 - County Budget | Budgets are properly set up and managed. | Budgets may not comply with laws and regulations. Budgets may not adequately fund nor control County operations. | The Budget Department monitors budgets at the level of budget adoption to ensure no over expenditures have occurred. If such over expenditures have occurred, the over expenditure is disclosed in the Stewardship and Compliance section of the notes to the financial statements. |
| N1-4.1.3 | N - Budgets | N1 - County Budget | Budgets are properly set up and managed. | Budgets may not comply with laws and regulations. Budgets may not adequately fund nor control County operations. | Budgets are set with built-in contingencies. |
| N1-4.1.4 | N - Budgets | N1 - County Budget | Budgets are properly set up and managed. | Budgets may not comply with laws and regulations. Budgets may not adequately fund nor control County operations. | There are at least ten (10) days between when the budget and the budget message were presented to the board and the adoption of the budget by the board. |
| N1-4.1.5 | N - Budgets | N1 - County Budget | Budgets are properly set up and managed. | Budgets may not comply with laws and regulations. Budgets may not adequately fund nor control County operations. | Changes to the approved Budget appropriation must be approved by the Board of Commissioners. Note that the County Manager has a set amount of discretionary funds that can be used without Commissioner approval. |
| N1-5.1.1 | N - Budgets | N1 - County Budget | The general public is informed of the budget process and notified of key milestones and meetings. | The public does not have the opportunity to comment and provide feedback to elected officials. | Required notifications (e.g., public hearings) on the budget are issued timely. |
| N1-6.1.1 | N - Budgets | N1 - County Budget | Budgets are monitored. Management is made aware of issues and appropriate management action are taken. | The final amount of fund balance appropriated exceeds the fund balance available at the end of the fiscal year. | The budget ordinance authorizes the budget officer to make transfers within a function or department without changing the total appropriation to that function or department; when such transfers are made, they are reported to the Board and recorded in the minutes at the next regularly scheduled board meeting |
| N1-6.1.2 | N - Budgets | N1 - County Budget | Budgets are monitored. Management is made aware of issues and appropriate management action are taken. | The final amount of fund balance appropriated exceeds the fund balance available at the end of the fiscal year. | Verify that all expenditures in annually budgeted funds are included in the final budget. |
| N1-6.2.1 | N - Budgets | N1 - County Budget | Budgets are monitored. Management is made aware of issues and appropriate management action are taken. | Without proper controls and spending limits in place, there is a risk of excessive spending or unauthorized expenditures. Clear guidelines and limits should be established to ensure that budgeted funds are used appropriately and within approved limits. | Budget Analysts periodically review department budgets (and individual accounts where warranted) to identify any significant deviations and make adjustments that are required to avoid over spending. |
| N2-1.1.1 | N - Budgets | N2 Departmental Budgets | Departmental budgets are established for each fiscal period; planned budget allocations within the Department to operating groups and or programs are also established. | Unapproved expenditures may occur. Insufficient funds may exist to pay for procured goods and services. | Departmental budgets are prepared for each fiscal period. |
| N2-2.1.1 | N - Budgets | N2 Departmental Budgets | Budgets are based upon prior budgets, reasonable, documented assumptions and/or estimations. | Funds may be insufficient to pay for procured goods and services and/or funds may go unused. | Budgets are based upon prior budgets, reasonable, documented assumptions and/or estimations. |
| N2-3.1.1 | N - Budgets | N2 Departmental Budgets | Budgets are properly set up and managed. | Budgets may not comply with laws and regulations. Budgets may not adequately fund nor control County operations. | Regular, period reports are provided to departmental management; appropriate management actions are taken to stay within budgets. |
| N2-3.1.2 | N - Budgets | N2 Departmental Budgets | Budgets are properly set up and managed. | Budgets may not comply with laws and regulations. Budgets may not adequately fund nor control County operations. | Excess funds are returned to the General Fund for reallocation. |
| O1-1.1.1 | O - Sales & Revenue | O1 - Customer Master Data | A customer master data file accurately reflects valid customer information for approved customers. | Fictitious customer or inaccurate customer master data may be established in the County records resulting in inaccurate financial reporting. Customer master file information may be inappropriately modified and not approved by management. | Customer master file additions, deletions, and modifications are accurate, complete and are monitored. |
| O1-1.1.2 | O - Sales & Revenue | O1 - Customer Master Data | A customer master data file accurately reflects valid customer information for approved customers. | Fictitious customer or inaccurate customer master data may be established in the County records resulting in inaccurate financial reporting. Customer master file information may be inappropriately modified and not approved by management. | Any change or modification of customer credit limit and/or credit risk master data is properly approved before system transactions are completed. |
| O1-2.1.1 | O - Sales & Revenue | O1 - Customer Master Data | Customer master data systems and records are appropriately safeguarded | Loss of Customer Master data or unauthorized changes to the data or records may occur and go undetected. | Access to customer master data systems and records is appropriately restricted and is reviewed, at least annually, by management. |
| O1-3.1.1 | O - Sales & Revenue | O1 - Customer Master Data | Adequate segregation of duties exists among the authorization, custody of assets, recording of transactions and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities, and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| O2-1.1.1 | O - Sales & Revenue | O2 - Credit Extension | Credit is extended, for which collectability is reasonably assured, and sufficient information is supplied to management to monitor, pursue and evaluate customer credit worthiness. | Management may not receive information timely and/or accurately which may lead to increased credit risks and/or bad debts. | Credit and collection policies and procedures are defined, documented, approved, communicated and adhered to in order to meet County objectives regarding receivables and cash flow. |
| O2-1.1.2 | O - Sales & Revenue | O2 - Credit Extension | Credit is extended, for which collectability is reasonably assured, and sufficient information is supplied to management to monitor, pursue and evaluate customer credit worthiness. | Management may not receive information timely and/or accurately which may lead to increased credit risks and/or bad debts. | Management reviews customer financial/credit information in accordance with the Credit policy, and takes actions as necessary to limit credit risk, including taking and monitoring any collateral/ security interest. |
| O2-1.1.3 | O - Sales & Revenue | O2 - Credit Extension | Credit is extended, for which collectability is reasonably assured, and sufficient information is supplied to management to monitor, pursue and evaluate customer credit worthiness. | Management may not receive information timely and/or accurately which may lead to increased credit risks and/or bad debts. | Exceptions to standard customer payment terms are reviewed and approved by management. |
| O2-2.1.1 | O - Sales & Revenue | O2 - Credit Extension | Adequate segregation of duties exists among the authorization, custody of assets, recording of transactions and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities, and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| O3-1.1.1 | O - Sales & Revenue | O3 - Order Entry | Sales orders must be based on valid customer commitment, supported by appropriate documentation, and processed accurately and completely. | Orders may be incomplete, lost, or delayed, resulting in lost sales and/or excessive returns. | Customer orders are entered accurately and completely into the system and consecutively numbered. |
| O3-1.1.2 | O - Sales & Revenue | O3 - Order Entry | Sales orders must be based on valid customer commitment, supported by appropriate documentation, and processed accurately and completely. | Orders may be incomplete, lost, or delayed, resulting in lost sales and/or excessive returns. | System logic prevents processing of customer orders unless a valid customer account / record exists in the customer master data file. |
| O3-1.1.3 | O - Sales & Revenue | O3 - Order Entry | Sales orders must be based on valid customer commitment, supported by appropriate documentation, and processed accurately and completely. | Orders may be incomplete, lost, or delayed, resulting in lost sales and/or excessive returns. | Open/incomplete orders are monitored and investigated. |
| O3-2.1.1 | O - Sales & Revenue | O3 - Order Entry | Sales orders for credit sales are processed only for customers with authorized credit. | Orders may be taken for unauthorized customers and/or unacceptable credit risks, resulting in potential uncollectible accounts and the loss of County funds. | Sales orders exceeding credit limits are blocked. |
| O3-3.1.1 | O - Sales & Revenue | O3 - Order Entry | Sales order systems and records are appropriately safeguarded. | Loss or unauthorized changes to sales orders, including customer data, price data and system program configuration, may occur and go undetected. | Access to the sales order system and records is appropriately restricted and reviewed, at least annually, by management. |
| O3-4.1.1 | O - Sales & Revenue | O3 - Order Entry | External financial statements reflect only sales to and earnings from third parties. | Income statement and Balance Sheet may contain erroneous sales and earnings not related to outside sales, resulting in inaccurate financial reporting. | Transfers between County units are recorded as transfers, not sales. |
| O3-5.1.1 | O - Sales & Revenue | O3 - Order Entry | Adequate segregation of duties exists among the authorization, custody of assets, recording of transactions and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities, and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| O4-1.1.1 | O - Sales & Revenue | O4 - Invoicing | Prices are fixed and determinable; prices and payment terms are reviewed/updated and approved so that only valid prices and payment terms are granted to customers. | Revenue may be recognized before price is fixed and determinable. Customers may be charged inappropriate prices for items purchased and gross revenues are not accurately stated. | Prices and payment terms are verified for accuracy, reviewed and authorized by management. |
| O4-1.1.2 | O - Sales & Revenue | O4 - Invoicing | Prices are fixed and determinable; prices and payment terms are reviewed/updated and approved so that only valid prices and payment terms are granted to customers. | Revenue may be recognized before price is fixed and determinable. Customers may be charged inappropriate prices for items purchased and gross revenues are not accurately stated. | Prices and payment terms are maintained accurately within systems. |
| O4-1.1.3 | O - Sales & Revenue | O4 - Invoicing | Prices are fixed and determinable; prices and payment terms are reviewed/updated and approved so that only valid prices and payment terms are granted to customers. | Revenue may be recognized before price is fixed and determinable. Customers may be charged inappropriate prices for items purchased and gross revenues are not accurately stated. | Price and payment term exception reports and overrides are monitored at least monthly. |
| O4-2.1.1 | O - Sales & Revenue | O4 - Invoicing | Business is gained through competitive merit and prices are to be determined by market forces. | Violations of anti-trust laws may result in both civil and criminal penalties and expose the County to embarrassment. | Individuals setting the prices are trained and knowledgeable of principles of laws and regulations. |
| O4-3.1.1 | O - Sales & Revenue | O4 - Invoicing | Evidence of an arrangement exists and products shipped and/or services performed must be accurately invoiced at authorized price and terms in a timely manner. | Customer sales and non-sales invoices may be incorrect, unsupported or not created resulting in misstated revenues, unauthorized terms or lost sales due to customer confusion and dissatisfaction. | "Shipped-not-billed" order status is analyzed and promptly resolved. |
| O4-3.1.2 | O - Sales & Revenue | O4 - Invoicing | Evidence of an arrangement exists and products shipped and/or services performed must be accurately invoiced at authorized price and terms in a timely manner. | Customer sales and non-sales invoices may be incorrect, unsupported or not created resulting in misstated revenues, unauthorized terms or lost sales due to customer confusion and dissatisfaction. | The sales system automatically generates an invoice and records entry to appropriate sales and inventory general ledger when goods are confirmed as delivered or shipped. |
| O4-3.1.3 | O - Sales & Revenue | O4 - Invoicing | Evidence of an arrangement exists and products shipped and/or services performed must be accurately invoiced at authorized price and terms in a timely manner. | Customer sales and non-sales invoices may be incorrect, unsupported or not created resulting in misstated revenues, unauthorized terms or lost sales due to customer confusion and dissatisfaction. | Invoices and credit memos are supported by appropriate documentation, consecutively numbered, and are monitored for accuracy and completeness. |
| O4-3.1.4 | O - Sales & Revenue | O4 - Invoicing | Evidence of an arrangement exists and products shipped and/or services performed must be accurately invoiced at authorized price and terms in a timely manner. | Customer sales and non-sales invoices may be incorrect, unsupported or not created resulting in misstated revenues, unauthorized terms or lost sales due to customer confusion and dissatisfaction. | Miscellaneous invoices and credit memos are supported by appropriate documentation, issued in accordance with the County's sales policy, recorded timely and accurately and reviewed by management for completeness, accuracy and reasonableness. |
| O4-4.1.1 | O - Sales & Revenue | O4 - Invoicing | Sales tax information is maintained and updated timely. | Failure to maintain tax exemption certificates and/or update rate changes may result in incorrect tax being billed and/or collected. | Sales tax exemption certificates are obtained from customers when required and maintained on file. |
| O4-4.1.2 | O - Sales & Revenue | O4 - Invoicing | Sales tax information is maintained and updated timely. | Failure to maintain tax exemption certificates and/or update rate changes may result in incorrect tax being billed and/or collected. | Sales tax rate changes are implemented in a timely manner. |
| O4-5.1.1 | O - Sales & Revenue | O4 - Invoicing | Miscellaneous sales to employees are properly accounted for. | Loss of assets, possible litigation and/or loss of reputation to the County may occur. | All miscellaneous sales to employees are properly documented and approved. |
| O4-6.1.1 | O - Sales & Revenue | O4 - Invoicing | Invoicing systems and records are appropriately safeguarded. | Loss or unauthorized changes to invoices may go undetected. | Access to enter, change or adjust invoices is appropriately restricted and is reviewed, at least annually, by management. |
| O4-7.1.1 | O - Sales & Revenue | O4 - Invoicing | All customer credit memos (returns, refunds, adjustments, etc.) are authorized and recorded timely and accurately. | Customer returns/credit memos/refunds may not be recorded accurately, timely or completely and result in inaccurate financial reporting. | Return, credit memo, and refund procedures are defined, documented, approved, communicated and adhered to. |
| O4-7.2.1 | O - Sales & Revenue | O4 - Invoicing | All customer credit memos (returns, refunds, adjustments, etc.) are authorized and recorded timely and accurately. | Abuse of the return/complaint policy may go undetected. | Management monitors credit memos and refunds issued, by customer and investigates unusual trends. |
| O4-8.1.1 | O - Sales & Revenue | O4 - Invoicing | The ability to process a return/rejection/refund is limited to appropriately authorized personnel. | Returns/credit memos/refunds may be unintentionally and/or inappropriately created or issued by users. | Access to process a return, credit memo or refund is appropriately restricted and is reviewed, at least annually, by management. |
| O4-9.1.1 | O - Sales & Revenue | O4 - Invoicing | Adequate segregation of duties exists among the authorization, custody of assets, recording of transactions and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities, and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| O5-1.1.1 | O - Sales & Revenue | O5 - Rebates, Discounts & Commissions | Sales Incentive Programs/agreements (discounts, allowances, rebates made in recognition of prompt payment, volume of purchases, etc.) are identified and properly accounted for. | Unethical and/or improper use of sales incentive programs may expose the County to embarrassment or possible litigation; discounts and rebates may not reflect the proper accounting treatment (reduction to sales) of the applicable transaction. | Discount, allowance and rebate programs are reviewed for proper accounting treatment. |
| O5-2.1.1 | O - Sales & Revenue | O5 - Rebates, Discounts & Commissions | All rebate liabilities have been identified and properly accrued for. | Liabilities for rebates, commissions and product returns may be understated causing sales, liabilities and inventory records to be inaccurate. | Rebate and allowance accruals occur timely, are based on appropriate evidence of activity and are approved by appropriate management. |
| O5-3.1.1 | O - Sales & Revenue | O5 - Rebates, Discounts & Commissions | Sales Incentive Programs (discounts, allowances, rebates) must be based on legitimate business transactions, correctly calculated, properly recorded, monitored for reasonableness, and supported by appropriate documentation. | Revenues and related cost of sales may be adversely affected, loss of County funds may go undetected, and embarrassment to the County and possible litigation exposure could result from unethical and/or improper use of sales programs. | All rebate and allowance payments are based on appropriate evidence, accurately calculated, reviewed and recorded in the proper period and accounts. |
| O5-4.1.1 | O - Sales & Revenue | O5 - Rebates, Discounts & Commissions | Customer rebate and discount systems and records are appropriately safeguarded. | Unauthorized changes to discount and rebate tables and records may occur and go undetected. | Access to create or change discount or rebate system tables or records is appropriately restricted and reviewed, at least annually, by management. |
| O5-5.1.1 | O - Sales & Revenue | O5 - Rebates, Discounts & Commissions | Adequate segregation of duties exists among the authorization, custody of assets, recording of transactions and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities, and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. |
| O6-1.1.1 | O - Sales & Revenue | O6 - Revenue Recognition & Sales Accounting | Sales contracts reflect the terms of sale and are properly approved. | Inappropriate commitments with customers could occur and ambiguous contract terms and conditions may result in the misstatement of revenue and potential disputes and litigation. | Standard contract forms should be used whenever possible and are reviewed by Legal at least annually; deviations from the standard contract form are reviewed by Legal prior to authorization. |
| O6-1.1.2 | O - Sales & Revenue | O6 - Revenue Recognition & Sales Accounting | Sales contracts reflect the terms of sale and are properly approved. | Inappropriate commitments with customers could occur and ambiguous contract terms and conditions may result in the misstatement of revenue and potential disputes and litigation. | Sales contracts are properly authorized. |
| O6-2.1.1 | O - Sales & Revenue | O6 - Revenue Recognition & Sales Accounting | Sales contracts are monitored to ensure compliance with terms. | Non-compliance with terms of contract may result in financial loss or litigation. Contracts may expire or require renewal action. Evergreen contracts may inadvertently renew. | Sales contracts are monitored by assigned personnel; a mechanism is in place to identify contracts due to expire, requiring renewal or termination. |
| O6-3.1.1 | O - Sales & Revenue | O6 - Revenue Recognition & Sales Accounting | Sales are accurately recorded in the correct period in accordance with authoritative and County revenue recognition policies. Considerations include: 1) collectability is reasonably assured; 2) evidence of an arrangement exists; 3) price is fixed and determinable; and 4) delivery has occurred or services have been rendered. | Sales revenue may not be properly recognized. | Sales contracts and agreements are reviewed by management for terms that may affect timing or ability to recognize revenue (such as performance obligations, customer acceptance terms, installation requirements, shipping terms). |
| O6-3.1.2 | O - Sales & Revenue | O6 - Revenue Recognition & Sales Accounting | Sales are accurately recorded in the correct period in accordance with authoritative and County revenue recognition policies. Considerations include: 1) collectability is reasonably assured; 2) evidence of an arrangement exists; 3) price is fixed and determinable; and 4) delivery has occurred or services have been rendered. | Sales revenue may not be properly recognized. | All sales in the last month of a quarter where the "risk of loss" did not pass until the first month of the next quarter are identified and reported; appropriate adjustments to revenue are recorded in the County books. |
| O6-3.1.3 | O - Sales & Revenue | O6 - Revenue Recognition & Sales Accounting | Sales are accurately recorded in the correct period in accordance with authoritative and County revenue recognition policies. Considerations include: 1) collectability is reasonably assured; 2) evidence of an arrangement exists; 3) price is fixed and determinable; and 4) delivery has occurred or services have been rendered. | Sales revenue may not be properly recognized. | Invoice and credit memo standard terms and conditions are reviewed by Legal and Finance whenever a change is made. |
| O6-3.1.4 | O - Sales & Revenue | O6 - Revenue Recognition & Sales Accounting | Sales are accurately recorded in the correct period in accordance with authoritative and County revenue recognition policies. Considerations include: 1) collectability is reasonably assured; 2) evidence of an arrangement exists; 3) price is fixed and determinable; and 4) delivery has occurred or services have been rendered. | Sales revenue may not be properly recognized. | Invoices are prepared and issued within the ERP (Enterprise Resource Planning) for all sales / leases. |
| O6-4.1.1 | O - Sales & Revenue | O6 - Revenue Recognition & Sales Accounting | Sales are posted timely, accurately and to the correct accounts. | Sales may not be recorded in the correct period and/or for the correct amount. | Sales cutoff procedures are adhered to; invoices (billing documents) that are not financially posted are followed up and resolved in a timely manner. |
| O6-4.1.2 | O - Sales & Revenue | O6 - Revenue Recognition & Sales Accounting | Sales are posted timely, accurately and to the correct accounts. | Sales may not be recorded in the correct period and/or for the correct amount. | Sales are properly recorded. |
| O6-4.1.3 | O - Sales & Revenue | O6 - Revenue Recognition & Sales Accounting | Sales are posted timely, accurately and to the correct accounts. | Sales may not be recorded in the correct period and/or for the correct amount. | Accruals for sales returns are made, when needed, based on documented experience. |
| O7-1.1.1 | O - Sales & Revenue | O7 - Accounts Receivables (A/R), Collection & Bad Debt | Accounts receivable reflect the proper valuation based on the likelihood of collection, collection experience and County reserve guidelines. | Accounts and notes receivable may not be properly valued. | The system is configured to correctly age outstanding Accounts Receivable (A/R) balances. |
| O7-1.1.2 | O - Sales & Revenue | O7 - Accounts Receivables (A/R), Collection & Bad Debt | Accounts receivable reflect the proper valuation based on the likelihood of collection, collection experience and County reserve guidelines. | Accounts and notes receivable may not be properly valued. | Accounts receivable aging reports and past due accounts, including miscellaneous, non-trade and notes receivables, are regularly reviewed and followed up for collection as needed. |
| O7-1.1.3 | O - Sales & Revenue | O7 - Accounts Receivables (A/R), Collection & Bad Debt | Accounts receivable reflect the proper valuation based on the likelihood of collection, collection experience and County reserve guidelines. | Accounts and notes receivable may not be properly valued. | Write-offs / charge-offs are reviewed and approved in accordance with County policies and legal restrictions. |
| O7-1.1.4 | O - Sales & Revenue | O7 - Accounts Receivables (A/R), Collection & Bad Debt | Accounts receivable reflect the proper valuation based on the likelihood of collection, collection experience and County reserve guidelines. | Accounts and notes receivable may not be properly valued. | Bad debts are recorded in the proper period in accordance with the accounting policy. |
| O7-1.1.5 | O - Sales & Revenue | O7 - Accounts Receivables (A/R), Collection & Bad Debt | Accounts receivable reflect the proper valuation based on the likelihood of collection, collection experience and County reserve guidelines. | Accounts and notes receivable may not be properly valued. | Customer account balance disputes are logged, categorized and investigated to determine cause of any errors in A/R balances. |
| O7-1.1.6 | O - Sales & Revenue | O7 - Accounts Receivables (A/R), Collection & Bad Debt | Accounts receivable reflect the proper valuation based on the likelihood of collection, collection experience and County reserve guidelines. | Accounts and notes receivable may not be properly valued. | An analysis of credit memos, by customer, is performed. Customers are notified of unused credits and appropriate follow-up is conducted. |
| O7-1.1.7 | O - Sales & Revenue | O7 - Accounts Receivables (A/R), Collection & Bad Debt | Accounts receivable reflect the proper valuation based on the likelihood of collection, collection experience and County reserve guidelines. | Accounts and notes receivable may not be properly valued. | The A/R subsidiary ledgers are reconciled monthly to the general ledger A/R control account. |
| O7-2.1.1 | O - Sales & Revenue | O7 - Accounts Receivables (A/R), Collection & Bad Debt | Accounts receivable are established based on County policies. | Account Receivables may not be recorded resulting in loss and understatement of assets. | Account Receivables are set-up at the time of billing based upon approved amounts. |
| O7-3.1.1 | O - Sales & Revenue | O7 - Accounts Receivables (A/R), Collection & Bad Debt | Accounts receivable systems and records are properly safeguarded. | Loss or unauthorized changes to the data, records, or programs may lead to increased bad debts. | Access to customer A/R systems and records is appropriately restricted and is reviewed, at least annually, by management. |
| O7-4.1.1 | O - Sales & Revenue | O7 - Accounts Receivables (A/R), Collection & Bad Debt | Adequate segregation of duties exists among the authorization, custody of assets, recording of transactions and reconciliation. | Lack of segregation of duties may result in misappropriation of assets, inaccurate financial reporting, errors or irregularities, and/or improper and undetected use of funds or modification of data. | Adequate segregation of duties is maintained as documented in the SOD matrix; contact Internal Audit. Segregation of duties (or mitigating controls) must exist between the collections, billing and receivable functions. |
| P1-1.1.1 | P - Social Media | P1 - Personal Social Media Usage | Personal use of Social Media is appropriate; usage is monitored and conforms to laws and regulations. | Inordinate amounts of County time are used on personal social media activities resulting in lost productivity. | Supervision informally monitors social media usage by observation and inquiry. Appropriate guidance and follow up are given as needed. |
| P1-1.1.2 | P - Social Media | P1 - Personal Social Media Usage | Personal use of Social Media is appropriate; usage is monitored and conforms to laws and regulations. | Inordinate amounts of County time are used on personal social media activities resulting in lost productivity. | Information Technology monitors broadband use and identifies users and areas that appear to abuse County resources; management is informed of these users and areas. |
| P1-1.2.1 | P - Social Media | P1 - Personal Social Media Usage | Personal use of Social Media is appropriate; usage is monitored and conforms to laws and regulations. | Inappropriate and/or illegal media is accessed. | Information Technology monitors usage (e.g., visits to websites, posting / receiving pictures & messages) for inappropriateness (i.e., hate sites, underage pornography, etc.); management is informed of these users and areas. |
| P1-1.3.1 | P - Social Media | P1 - Personal Social Media Usage | Personal use of Social Media is appropriate; usage is monitored and conforms to laws and regulations. | Workplace harassment and abuse occur. | Workplace harassment is reported to HR for appropriate follow-up. |
| P2-1.1.1 | P - Social Media | P2 - County Social Media Usage | County (departmental) Social Media is used appropriately; usage is monitored and conforms to laws and regulations. | Inappropriate and/or illegal information may be posted to social media. | Official County postings to social media are appropriate and approved by Management. |
| P2-1.1.2 | P - Social Media | P2 - County Social Media Usage | County (departmental) Social Media is used appropriately; usage is monitored and conforms to laws and regulations. | Inappropriate and/or illegal information may be posted to social media. | Intellectual property is protected and controlled on social media. |
| P2-2.1.1 | P - Social Media | P2 - County Social Media Usage | A strategy for the County's use of Social Media exists and is followed. | Postings may offer incorrect or inconsistent messaging. | County postings to social media follow the approved strategy. |
| P2-2.2.1 | P - Social Media | P2 - County Social Media Usage | A strategy for the County's use of Social Media exists and is followed. | The County fails to respond timely and accurately to contrary or inaccurate social media postings. | A well documented Social Media crisis management plan exists and has been tested. |
| Q1-1.1.1 | Q - Elections Process | Q1 - Voter Information | Voter information changes are valid and only made upon appropriate review and authorization. | Ineligible individuals may be allowed to vote. | Voter information changes are based on an authorized voter registration change card or other governmental agency approved change (e.g., death notice from the Register of Deeds Office). |
| Q1-1.1.2 | Q - Elections Process | Q1 - Voter Information | Voter information changes are valid and only made upon appropriate review and authorization. | Ineligible individuals may be allowed to vote. | Voter information changes are reviewed and approved by authorized management. |
| Q1-2.1.1 | Q - Elections Process | Q1 - Voter Information | Registered voter information is accurate. | The poll book is not accurate. Ineligible individuals may be allowed to vote. | The poll book is the official list of eligible voters in the County for each polling location and it is updated prior to each election. |
| Q1-2.1.2 | Q - Elections Process | Q1 - Voter Information | Registered voter information is accurate. | The poll book is not accurate. Ineligible individuals may be allowed to vote. | Department staff receives monthly and quarterly reports from the State Board and other state and federal sources of voters who have been convicted of a felony, are deceased, or have moved outside the County. |
| Q1-2.1.3 | Q - Elections Process | Q1 - Voter Information | Registered voter information is accurate. | The poll book is not accurate. Ineligible individuals may be allowed to vote. | Management reviews a sample of the flagged voters for accuracy prior to the State Board’s review and removal of ineligible voters. |
| Q1-2.1.4 | Q - Elections Process | Q1 - Voter Information | Registered voter information is accurate. | The poll book is not accurate. Ineligible individuals may be allowed to vote. | Prior to generating the final poll books for election day, department staff uploads into SEIMS (State-wide voter registration software system) the names of the early and absentee-by-mail voters. |
| Q1-2.1.5 | Q - Elections Process | Q1 - Voter Information | Registered voter information is accurate. | The poll book is not accurate. Ineligible individuals may be allowed to vote. | Department staff and management then perform a final review of the poll books for accuracy. |
| Q1-3.1.1 | Q - Elections Process | Q1 - Voter Information | Potential voter discrepancies (e.g., provisional ballots) are reconciled to lists of eligible voters. | Ineligible votes may be included in count totals. | Reconciliations - Department staff reconciles Authorization to Vote (ATV) and early voting applications to votes cast to verify vote totals are accurately reflected in election results. Staff reconciliations must include the preparer’s name and explanation of reconciling differences. |
| Q2-1.1.1 | Q - Elections Process | Q2 - Early Voting | Early Voting is available per State election laws. | Eligible voters may not be able to cast their votes. | The Department will mail absentee ballots to an eligible voter who makes a request in writing during the absentee-by-mail voting period. The voter may return their completed ballot by mail or in person. |
| Q2-1.1.2 | Q - Elections Process | Q2 - Early Voting | Early Voting is available per State election laws. | Eligible voters may not be able to cast their votes. | The Department makes early voting sites available to eligible voters. |
| Q3-1.1.1 | Q - Elections Process | Q3 - Poll Workers | Poll workers are trained on their duties, such as opening and closing the polling location, authorizing voters, and operating voting panels, which are the electronic devices voters use to cast their votes. | Elections (voting & counting) is not performed in accordance with State and Federal election laws. Inaccuracies are made and not found / corrected. | Poll workers receive training on their duties before each election regardless of the election type (local, State or Federal) and are supervised as needed. |
| Q3-1.1.2 | Q - Elections Process | Q3 - Poll Workers | Poll workers are trained on their duties, such as opening and closing the polling location, authorizing voters, and operating voting panels, which are the electronic devices voters use to cast their votes. | Elections (voting & counting) is not performed in accordance with State and Federal election laws. Inaccuracies are made and not found / corrected. | Each polling location includes a chief judge and two partisan judges who provide supervision; each location also has polling place assistants who provide support for election activities. |
| Q4-1.1.1 | Q - Elections Process | Q4 - Election Site Activities | Election (voting) locations are prepared before the day of voting. | Eligible voters may not be able to cast their votes. | Department staff delivers voting equipment to each of the County’s polling locations prior to the election. On the day before election day, poll workers set up voting equipment, assign duties, and ensure necessary voting materials are in place. In addition, they also deliver supplies to each precinct. The visits are logged in the Precinct Visit Logs. |
| Q4-2.1.1 | Q - Elections Process | Q4 - Election Site Activities | Only eligible voters are allowed to vote. | Ineligible voters may be allowed to vote. Eligible voters may not be able to cast their votes. | Poll workers review each voter's Authorization to Vote (ATV) application and confirm the voter’s information is in the poll book. |
| Q4-2.1.2 | Q - Elections Process | Q4 - Election Site Activities | Only eligible voters are allowed to vote. | Ineligible voters may be allowed to vote. Eligible voters may not be able to cast their votes. | When a voter’s information cannot be confirmed in the poll book, the voter is allowed to cast a provisional ballot. |
| Q4-3.1.1 | Q - Elections Process | Q4 - Election Site Activities | Voting information is conveyed to election officials. | Voting information is lost, changed or stolen. | Voting information is gathered and both electronic totals and physical ballots are conveyed to election officials. |
| Q4-4.1.1 | Q - Elections Process | Q4 - Election Site Activities | Incidents that occur at polling locations are reported per State Board requirements. | Incidents that may effect voting go unreported and corrections to election results are not made. | Incidents that occur at polling locations are reported on an Incident Report as required by State Board requirements. Examples of reportable incidents include a facility issue such as a polling location power outage or a ballot issue where the voter was given an incorrect ballot. |
| Q4-5.1.1 | Q - Elections Process | Q4 - Election Site Activities | Contingency plans are in place to address potential disruptions and / or physical emergencies during the election process. | Failure to have contingency plans may lead to delays, confusion, and / or compromised integrity of the elections. | Contingency plans are in place and are periodically tested to address potential disruptions and / or physical emergencies during the election process. Auxiliary places and processes exist. |
| Q5-1.1.1 | Q - Elections Process | Q5 - Election Certification | The County Elections Board certifies the official election results. | Election results are unknown and/or misreported. | The County Elections Board conducts a canvass to determine votes have been tabulated correctly and then certifies results to the State Board. The official results are published on both the State Board and Department websites. |
| Q6-1.1.1 | Q - Elections Process | Q6 - Records Retention | Records are kept in compliance with the North Carolina Records Retention and Disposition Schedule. | Documentation to support dispute resolution / litigation may not be available. | Records are kept in compliance with the North Carolina Records Retention and Disposition Schedule. |
| R1-1.1.1 | R - Fire Districts | R1 - Policies and Procedures | Written policies and procedures exist to: 1) guide decision making, helping to ensure that unwarranted risks (e.g., failure to meet minimum ISO rating, cash shortage) are avoided; and 2) provide continuity of processes over time. | Unforeseen / unplanned for circumstances result in the inability to provide services. | Review for completeness of topics and adequacy of controls. Examples of completeness: Hiring requirements, background checks, administrative policies, financial policies, sog's, etc. |
| R1-1.1.2 | R - Fire Districts | R1 - Policies and Procedures | Written policies and procedures exist to: 1) guide decision making, helping to ensure that unwarranted risks (e.g., failure to meet minimum ISO rating, cash shortage) are avoided; and 2) provide continuity of processes over time. | Unforeseen / unplanned for circumstances result in the inability to provide services. | Determine whether the written policies and procedures are followed in the daily operations. |
| R2-1.1.1 | R - Fire Districts | R2 - Board Minutes and Long Range Planning | A record of Board decisions is complete and kept; key decisions are identifiable and adequately described. | Board decisions are not available to be used to refresh decisions nor settle disagreements about previous decision made. | The Board (and sub-committees of the Board) meets regularly, as required by the corporate bylaws. |
| R2-1.1.2 | R - Fire Districts | R2 - Board Minutes and Long Range Planning | A record of Board decisions is complete and kept; key decisions are identifiable and adequately described. | Board decisions are not available to be used to refresh decisions nor settle disagreements about previous decision made. | The minutes are kept at all Board meetings and are complete and on file. |
| R2-1.1.3 | R - Fire Districts | R2 - Board Minutes and Long Range Planning | A record of Board decisions is complete and kept; key decisions are identifiable and adequately described. | Board decisions are not available to be used to refresh decisions nor settle disagreements about previous decision made. | Board Meeting minutes adequately capture key decisions, i.e., purchases of equipment, land or buildings, or other large expenditures; personnel decisions; review of finances). |
| R2-2.1.1 | R - Fire Districts | R2 - Board Minutes and Long Range Planning | The Department has long range planning that guides overall decision making. The plan is multi-faceted, well document, and approved by the Board. | Short-term decision are made that are detrimental to long-term viability and maintaining performance standards. | A written, multi-year plan exists. The plan encompasses all areas, but focused on operations, finances and personnel. |
| R2-2.1.2 | R - Fire Districts | R2 - Board Minutes and Long Range Planning | The Department has long range planning that guides overall decision making. The plan is multi-faceted, well document, and approved by the Board. | Short-term decision are made that are detrimental to long-term viability and maintaining performance standards. | The plan is current and rolls, e.g., when one year passes another is added. |
| R3-1.1.1 | R - Fire Districts | R3 - Performance Measures | The Department has set performance standards for key areas. Standards and performance are reviewed; action items are captured and followed up. | Key areas are not reviewed and performance declines. | The department has set performance standards. There are reports that track actual performance. Actual performance is reported to the Chief and Board timely. |
| R4-1.1.1 | R - Fire Districts | R4 - Financial Statements | The Department has certified financial statements and management letters that document the district's financial situation. | The financial stability of the department (ongoing concern) is not reliably known. | The department has annual, audited financial statements. |
| R4-1.1.2 | R - Fire Districts | R4 - Financial Statements | The Department has certified financial statements and management letters that document the district's financial situation. | The financial stability of the department (ongoing concern) is not reliably known. | The annual financial statements have been shared with the County (Internal Audit / Fire Marshal); this includes a certificate of insurance (annual). |
| R4-1.2.1 | R - Fire Districts | R4 - Financial Statements | The Department has certified financial statements and management letters that document the district's financial situation. | The financial statements cannot be relied upon as to the financial state of the department. | The financial statements are in compliance with the County's contract requirements and there were no reportable or material issues in regards to compliance with generally accepted accounting principles. |
| R4-1.2.2 | R - Fire Districts | R4 - Financial Statements | The Department has certified financial statements and management letters that document the district's financial situation. | The financial statements cannot be relied upon as to the financial state of the department. | The financial statements do not have any unusual items such as: significant changes in account balances from the prior year(s) miscellaneous income and expense accounts, nor any unusual expense items. |
| R4-1.2.3 | R - Fire Districts | R4 - Financial Statements | The Department has certified financial statements and management letters that document the district's financial situation. | The financial statements cannot be relied upon as to the financial state of the department. | Review the notes to the financial statements. Determine if there were any management conditions reported to the Board by the financial statement preparer. |
| R5-1.1.1 | R - Fire Districts | R5 - Taxes | Department Tax returns are prepared and files as appropriate. | Penalties and interest are incurred because of late or no filings. Unreturned funds are not available for Department use. | Obtain a copy of the corporation's prior year 990 tax return to ensure they are being completed and submitted to the IRS. Review for any unusual items. |
| R5-1.1.2 | R - Fire Districts | R5 - Taxes | Department Tax returns are prepared and files as appropriate. | Penalties and interest are incurred because of late or no filings. Unreturned funds are not available for Department use. | Determine if department files for refund of sales tax and motor fuels tax. |
| R5-2.1.1 | R - Fire Districts | R5 - Taxes | Tax forms are prepared and distributed as appropriate. | The Department fails to comply with Federal and State tax law and becomes subject to fine and penalties. Individual taxpayers cannot file their personal taxes. | Determine if 1099-MISC & 1099-NEC Income forms are issued as per IRS regulations. |
| R6-1.1.1 | R - Fire Districts | R6 - Bank Accounts and Investments | The department has a written investment policy that has been approved by the Board. | Poor investment choices may be made; investments may be lost / stolen. | The department has an investment policy that document the current practice for making investments such as: short-term vs. long-term investments of cash; investment account types; authorizations, monitoring, reviews and safekeeping. |
| R6-2.1.1 | R - Fire Districts | R6 - Bank Accounts and Investments | Daily Operations are sufficiently funded. | Daily operations are negatively impacted by cash shortfalls. | Daily operations needs are known (preferably forecasted) and sufficient funds are available; individuals who transact daily business are authorized and known by the Board. |
| R6-3.1.1 | R - Fire Districts | R6 - Bank Accounts and Investments | Bank statements are being reviewed and reconciled; cash is effectively managed. | Department resources are misused or stolen. | Bank statements do not have any unusual activity such as large cash deposits or withdrawals; large check deposits or withdrawals; unusual transfers or other debits and credits; unusual payees, endorsements by other than the payee, and authorized signatures. |
| R6-3.2.1 | R - Fire Districts | R6 - Bank Accounts and Investments | Bank statements are being reviewed and reconciled; cash is effectively managed. | Interest on cash balances is lost to use by the department. | Daily cash is being managed effectively; there is not a large cash balance in a non-interest bearing account. |
| R6-3.3.1 | R - Fire Districts | R6 - Bank Accounts and Investments | Bank statements are being reviewed and reconciled; cash is effectively managed. | Theft and misuse goes undetected. Material errors are not detected and corrected. | Bank statements are reviewed and reconciled on a timely basis. |
| R7-1.1.1 | R - Fire Districts | R7 - Purchasing | The Department has a documented and Board approved purchasing policy. | Unauthorized / unneeded purchases may be made; purchases for personal use items (theft) make occur. | The Department has a documented and Board approved purchasing policy. |
| R7-1.1.2 | R - Fire Districts | R7 - Purchasing | The Department has a documented and Board approved purchasing policy. | Unauthorized / unneeded purchases may be made; purchases for personal use items (theft) make occur. | Purchases are in compliance with the purchasing policy. |
| R8-1.1.1 | R - Fire Districts | R8 - Budgeting | The Department has a budgeting process that results in a Board approved periodic (usually annual) budget. | Funds are expended without accountability toward balancing expenditures and revenues. Funds may not be available for required purchases (funds have already been received and spent). | The department has a well documented budget process; who prepares the budget, who reviews it, and who approves it are documented. The Board receives regular updates (includes variances and trends) and authorizes major changes to the budget. |
| S1-Records Management | S - Records Management | Note that Records Management Controls effect many processes and sub-processes. Consequently, there are record management controls found throughout SLIC. | |||
| S1-1.1.1 | S - Records Management | S1 - System Access (Records) | The Record Management System (i.e., a computerized system like Munis or Granicus) is properly restricted to appropriate users. | Records (the information they contain) may not be adequately safeguarded against theft or unauthorized changes. | System access is properly restricted and monitored periodically (at least annually); appropriate access is given and restricted as personnel and personnel duties change. |
| S2-1.1.1 | S - Records Management | S2 - Segregation of Duties (Records) | Custody, change authorization and reconciliation within the Record Management System (i.e., a computerized system like Munis or Granicus) are properly segregated. | Unauthorized changes are made to the System and/or data. | Adequate segregation of duties (SOD) is maintained and documented. Privileges within the system are reviewed periodically for SOD issues. |
| S3-1.1.1 | S - Records Management | S3 - Procedures, policies and processes | Desk procedures and departmental policies, processes and procedures are followed. | Unintentional errors may be made. Inefficient / ineffective practices may be started / followed. | Desk procedures and departmental policies, processes and procedures are clearly documented and easily available. |
| S3-2.1.1 | S - Records Management | S3 - Procedures, policies and processes | Physical records are protected from physical damage. | Loss of records and / or loss of usability due to damage. | Physical records are protected from damage due to environmental conditions and pests (e.g., moisture and / or insects). |
| S4-1.1.1 | S - Records Management | S4 - Inventory & Business Continuity / Recovery | The records inventory is accurate and up to date. | Records on file could be missing or misplaced. | Record inventories are periodically (at least annually) reviewed and updated. |
| S4-2.1.1 | S - Records Management | S4 - Inventory & Business Continuity / Recovery | The department business continuity and/or disaster recovery programs (COOP) include Records Management. | Losses of important records due to damage, theft, or destruction could be permanent. | The department has incorporated Records Management into its Business Continuity Plan (COOP). |
| S5-1.1.1 | S - Records Management | S5 - Security (Records) | Records (physical and electronic) are archived, destroyed or disposed of in accordance approved schedules. | Records that are legally and operationally required to be held could be inappropriately changed, destroyed or disposed of. Records are held for longer than necessary. | The County follows both North Carolina State and Guilford County record retention guidelines. |
| S5-1.1.2 | S - Records Management | S5 - Security (Records) | Records (physical and electronic) are archived, destroyed or disposed of in accordance approved schedules. | Records that are legally and operationally required to be held could be inappropriately changed, destroyed or disposed of. Records are held for longer than necessary. | Staff review records periodically for retention and disposal. |
| S5-2.1.1 | S - Records Management | S5 - Security (Records) | Confidential records (physical and electronic) are destroyed using methods which provide adequate safeguards against accidental loss, disclosure, or re-construction. | Confidential information is not disposed of properly; the County is subjected to public / privacy breaches, identity theft, scams etc. | Records are destroyed in a secure manner that ensures the information cannot be lost, disclosed or re-constructed. |
| S5-3.1.1 | S - Records Management | S5 - Security (Records) | Physical and electronic records storage areas are protected from unauthorized access, theft, and environmental hazards. | Records could be changed, stolen or damaged. | Storage areas are restricted to prevent unauthorized access, damage, theft or other catastrophic loss of records. |
| S5-3.1.2 | S - Records Management | S5 - Security (Records) | Physical and electronic records storage areas are protected from unauthorized access, theft, and environmental hazards. | Records could be changed, stolen or damaged. | Physical access is only given to appropriate individuals. |
| S5-4.1.1 | S - Records Management | S5 - Security (Records) | Storage areas that hold physical records have adequate space to accommodate growth. | Inadequate room and disorganization of records. | Staff keeps records organized and records have adequate space. |
| T1-1.1.1 | T - Planning and Inspections | T1 Planning | Well-defined planning policies, procedures, guidelines and standards are in place to ensure that planning activities are conducted consistently and in accordance with applicable laws and County regulations. | Lack of well-defined planning policies and procedures can lead to inconsistencies, errors, and inefficiencies in the planning process. | Well-defined planning policies, procedures, guidelines and standards are in place that reflect applicable laws and County regulations. |
| T1-1.1.2 | T - Planning and Inspections | T1 Planning | Well-defined planning policies, procedures, guidelines and standards are in place to ensure that planning activities are conducted consistently and in accordance with applicable laws and County regulations. | Lack of well-defined planning policies and procedures can lead to inconsistencies, errors, and inefficiencies in the planning process. | There are periodic, documented reviews for changes in applicable laws and County regulations. |
| T1-2.1.1 | T - Planning and Inspections | T1 Planning | The planning process considers the strategic direction of the County. There is a clear link between the planning activities and the County's objectives. | If the planning process is not aligned with the strategic objectives and goals of the County, it can result in the misallocation of resources and failure to achieve desired outcomes. | Planning documents clearly link back to County objectives as found in Board of Commissioners meeting minutes or other Board approved documents. |
| T1-3.1.1 | T - Planning and Inspections | T1 Planning | Periodic, thorough risk assessments are conducted to identify potential risks and develop appropriate control measures to address them. | Failure to identify and assess risks associated with the planning process can result in inadequate risk mitigation strategies and poor decision-making. | A risk assessment is performed and documented when major changes to the County's Comprehensive Plan and/or Unified Development Ordinance are undertaken. |
| T1-4.1.1 | T - Planning and Inspections | T1 Planning | Stakeholders are engaged early on to obtain their input and feedback to ensure that the planning process reflects their needs and priorities. | Insufficient stakeholder engagement, e.g., lack of involvement and communication with key stakeholders, such as department heads, elected officials, and community representatives, can hinder the effectiveness of the planning process. | Stakeholder engagement is sought and documented as planning takes place (e.g., the Comprehensive Plan). |
| T1-5.1.1 | T - Planning and Inspections | T1 Planning | Robust data collection, validation, and verification procedures are in place to ensure the accuracy and completeness of the information used in the planning process. | Reliance on inaccurate or incomplete data during the planning process can lead to flawed analysis and decision-making. | Robust data collection, validation, and verification procedures (e.g., technical surveys, community input meetings & open houses) are in used to gather and document data used in the decisioning process. |
| T1-6.1.1 | T - Planning and Inspections | T1 Planning | Establishing mechanisms to monitor and evaluate the progress and outcomes of the planning process is essential to ensure that objectives are being met and corrective actions are taken when necessary. | Inadequate monitoring and evaluation of the planning process can result in a lack of accountability and difficulty in assessing the effectiveness of the plans implemented. | Monitoring and evaluation processes exist to access the effectiveness of the plans implemented. |
| T2-1.1.1 | T - Planning and Inspections | T2 - Economic Development | Well-defined economic development policies, procedures, guidelines and standards are in place to ensure that economic development activities are conducted consistently and in accordance with applicable laws and County regulations. | Failure to have adequate policies and procedures governing the economic development process, may result in inconsistency, favoritism, and / or non-compliance with applicable laws and regulations. | Well-defined planning policies, procedures, guidelines and standards are in place that reflect applicable laws and County regulations. |
| T2-1.1.2 | T - Planning and Inspections | T2 - Economic Development | Well-defined economic development policies, procedures, guidelines and standards are in place to ensure that economic development activities are conducted consistently and in accordance with applicable laws and County regulations. | Failure to have adequate policies and procedures governing the economic development process, may result in inconsistency, favoritism, and / or non-compliance with applicable laws and regulations. | There are periodic, documented reviews for changes in applicable laws and County regulations. |
| T2-2.1.1 | T - Planning and Inspections | T2 - Economic Development | There is adequate oversight and monitoring of economic development activities. This includes appropriate due diligence and approvals. | Insufficient oversight and monitoring of economic development activities can lead to mismanagement of funds, potential fraud, or misuse of resources. | There is a periodic review (at least annually) of the contract requirements and progress toward meeting those requirements; this review is documented and shared with County Management. |
| T2-2.2.1 | T - Planning and Inspections | T2 - Economic Development | There is adequate oversight and monitoring of economic development activities. This includes appropriate due diligence and approvals. | Failure to obtain appropriate approvals for incentives and grants may lead to funding being awarded to entities that do not meet the required criteria. | All incentives and grants are properly approved, including any amendments. |
| T2-2.3.1 | T - Planning and Inspections | T2 - Economic Development | There is adequate oversight and monitoring of economic development activities. This includes appropriate due diligence and approvals. | Insufficient due diligence in assessing the eligibility and suitability of recipients of economic development incentives or grants may lead to funding being awarded to entities that do not meet the required criteria. This can result in wasted resources and/or the County not receiving the expected economic benefits. | The due diligence process and associated incentive or grant award will be thoroughly documented detailing the nature of the grant and the specific qualifications of the recipient. The criteria for receiving the grant will be specifically included. |
| T2-3.1.1 | T - Planning and Inspections | T2 - Economic Development | Awarding of economic development initiatives and grants will be free of conflicts of interest. This includes vendors, contractors, developers, employees and County officials involved in the process. | Conflicts of interest in the economic development process could result in biased decision-making or personal gain at the expense of the County. | Conflicts of interest (actual or perceived) were considered when assigning contract administrator and other related roles. |
| T2-4.1.1 | T - Planning and Inspections | T2 - Economic Development | The economic development initiatives and grants process will keep accurate, and complete reports that are issued timely to the appropriate levels of management. This includes performance measurements. | Poor record-keeping practices, inaccurate data entry, or inadequate reporting systems can lead to errors in financial statements or performance reports. This can hinder effective decision-making, impair transparency, and create opportunities for manipulation or misrepresentation of economic development outcomes. | Accurate and complete reports / documents are developed, reviewed and approved by appropriate individuals. |
| T2-4.2.1 | T - Planning and Inspections | T2 - Economic Development | The economic development initiatives and grants process will keep accurate, and complete reports that are issued timely to the appropriate levels of management. This includes performance measurements. | Without clear performance measures and targets for economic development initiatives, it becomes challenging to evaluate effectiveness and assess the return on investment. Lack of robust performance measurement can result in continued funding for projects that do not deliver the intended results. | Clear, measurable (objective) performance measurements are used. These measures are the basis for payments and other incentives. |
| T2-5.1.1 | T - Planning and Inspections | T2 - Economic Development | Economic Development contracts should conform with Section B - Procurement as applicable. | ||
| T3-1.1.1 | T - Planning and Inspections | T3 - Inspections | Inspections are performed with no bias, no segregation of duties issues and / or conflicts of interest (perceived or actual). | Failure to perform inspections with no bias, no segregation of duties issues and / or no conflicts of interest (perceived or actual) can result in unsafe / poor quality construction and / or continued occupancy in unsafe conditions. Inspectors must not have personal relationships or financial interests that could compromise their impartiality or result in biased inspections. | Inspectors are not assigned to projects where there may be an actual or perceived conflict of interest. Inspectors are periodically asked if they have any conflicts of interest; this is documented. |
| T3-2.1.1 | T - Planning and Inspections | T3 - Inspections | All inspections are performed against well-defined and documented policies and procedures. | Failure to perform inspections against well-defined, and documented, policies and procedures can lead to inconsistencies, variations, or subjective interpretations among inspectors. This may result in unreliable inspection results and undermine the integrity of the process. | Well-defined and documented policies and procedures exist and are maintained. |
| T3-3.1.1 | T - Planning and Inspections | T3 - Inspections | Inspectors possess the necessary skills and knowledge to perform inspections effectively (certifications, industry experience, etc.). | Inadequate training and / or lack of competency could lead to incorrect or incomplete inspections, compromising the reliability and accuracy of the results. | Inspectors possess the necessary skills and knowledge to perform inspections effectively (certifications, industry experience, etc.). Inspectors stay current on new construction methods and models. |
| T3-4.1.1 | T - Planning and Inspections | T3 - Inspections | Periodically, inspections / inspectors are subject to appropriate supervisory oversight and review to ensure compliance with established standards and procedures. | Insufficient supervision increases the risk of errors or deviations from the required guidelines going unnoticed. | On a periodic basis, management reviews inspections to ensure compliance with established standards and procedures. These reviews are documented. |
| T3-5.1.1 | T - Planning and Inspections | T3 - Inspections | Proper documentation and records of inspections are kept. | Inadequate documentation and recordkeeping practices may result in missing or incomplete records, making it difficult to track and verify the inspection activities and outcomes. | Proper documentation and records of inspections are kept. |
| T3-6.1.1 | T - Planning and Inspections | T3 - Inspections | Identified deficiencies and / or non-compliance issues from inspections are properly addressed and followed up on. Corrective actions take place in a timely manner. | If identified deficiencies or non-compliance issues from inspections are not properly addressed or followed up on, it can weaken the effectiveness of the inspections process. Timely corrective actions are crucial to ensure that identified problems are rectified promptly. | Identified deficiencies and / or non-compliance issues from inspections are properly addressed and followed up on. Corrective actions take place in a timely manner. |
100
true
Full Width