Internal Controls Are for Everybody!—Part One*

by  Norman H. Meyer, Jr.

Editor’s Note: This article will be a two-part series. Part two will be published in the spring 2023 edition of Court Manager

Quick—take a moment to think about what internal controls your court is using to minimize risk. Even more basically, do you know what internal controls are and the breadth and depth of a robust internal controls program? This article will explain why every court needs to have a comprehensive approach to the critical area of internal control of operations and what are the essential elements of such a program.

Here are a few horror stories from courts that did not have good internal controls (all these scenarios happened):

  • A traffic court deputy clerk steals cash payments received in the mail and deposits them into her personal bank account while not recording the proper payments in the court records.
  • An IT manager with procurement responsibilities arranges to receive kickbacks from a technology vendor awarded a court contract.
  • A court hires a new employee into a position handling confidential criminal case information without doing a criminal background check; the employee later divulges pending warrant information to a local criminal gang in which he once belonged and was convicted of several offenses.
  • A court’s electronic information system for both case management and probation services is hacked, compromising highly sensitive data.
  • A court procurement clerk sends court furniture out to be refinished, but some of the pieces never come back and are sold by the vendor, who shares the profits with the clerk.
  • A denial-of-service (DoS) attack on a court’s website makes the site unavailable for several days.
  • A state passes a new law revising the fines and fees for lower-level offenses, but a local court continues to use the old amounts for several months after the effective date.
  • A court is the victim of ransomware and has to pay a hefty cash amount to unlock its case management system.

One can easily imagine what the news media could (and did, in most instances) make of these incidents! If these courts had effective internal control policies and procedures in place, these events should not have happened. Before we go further, let’s make sure we know what is meant by the term “internal control”:

Internal controlis a process for assuring an organization’s objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization. It is a means by which an organization’s resources are directed, monitored, and measured. It plays an important role in detecting and preventing fraud and protecting the organization’s resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks).1

Notice that internal control spans all court operations, protecting all resources. Too often we only think of internal financial control, which is certainly vitally important and deserves lots of attention. As the definition above shows, a comprehensive approach covers not only financial, but also human capital, technological, data, property, and intangible resources.

The U.S. General Accountability Office (GAO) has published a detailed guide for governmental entities to implement internal control. The guide (also known as the Green Book) shows how internal control is a basic means for an organization to put its mission, strategic plan, goals, and objectives into action. The guide outlines five key components of internal control:2

  1. Control Environment—the foundation that provides the discipline and structure to help the organization to achieve its objectives.
  2. Risk Assessment—evaluating the risk facing the organization as it seeks to achieve its objectives. The assessment provides the basis for developing appropriate risk responses.
  3. Control Activities—the actions that management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system.
  4. Information and Communication—the quality of information and communication management and personnel use to support the internal control system.
  5. Monitoring—the activities management establishes and operates to assess the quality of performance over time and promptly resolve the findings of audits and other reviews.

Internal control is clearly not a simple function and requires continuous effort to do it right. Since internal control is very important to the proper functioning of any organization, what should be done to implement the five components?

In an effective internal control environment, the organization must achieve discipline and structure with these actions:

  • Commitment to integrity and ethical conduct.
  • Establishment of an organizational structure that effectively assigns and delegates responsibilities.
  • Efforts to hire, develop, and retain competent staff, evaluate their performance, and hold them accountable.

To minimize (and hopefully, eliminate) risk, the organization must start with these risk assessment actions:

  • Articulate clear organizational and operational objectives to enable the identification of associated risks and risk tolerance.
  • Consider the potential for fraud and other malfeasance.
  • Analyze and respond to changes that could impact the internal control system.

To respond to the identified risks to the organizational objectives, management should take these control activities:

  • Design specific control actions to respond to the identified risks.
  • Ensure that both manual and automated systems are included in control actions.
  • Enact comprehensive control policies.

It isn’t enough to create a good environment, assess risk, and create policies. Management needs to enact good information and communication actions:

  • Ensure that quality information is used to make decisions (and has been used in risk assessment and creation of policies).
  • Effectively communicate information about internal control both internally and externally. For instance, regular employee internal control training should incorporate appropriate policies.

Ongoing evaluation of how well internal control activities are performing is extremely important. Management should assess and remediate the quality of performance over time by these monitoring actions:

  • Establishing and implementing processes that monitor and evaluate control activities.
  • Monitoring activities continuously (e.g., via daily data analysis) and periodically (e.g., via audits), as appropriate.
  • Remediating identified control deficiencies on a timely basis.

It is easy to see how internal control cuts across every aspect of court operations: human resources, information technology, space and facilities, security, finance and budget/procurement, etc. What is also striking is how the control components and principles parallel the classic strategic planning cycle of activities.

One can think of internal control as strategic planning with a focus on risk assessment, avoidance, and remediation.

The internal control components and principles presented thus far are at a high, theoretical level. It is helpful to better understand what this means by exploring one court operational area and taking a deeper focus on practical internal control actions. We will do that in the next issue of the Court Manager where we will explore the area of financial controls in part two of “Internal Controls Are for Everybody.”

ABOUT THE AUTHOR

Norman H. Meyer, Jr., previously served as clerk of court, United States Bankruptcy Court, for the District of New Mexico and Eastern District of Virginia. He is a past president of NACM and a recipient of NACM’s Award of Merit.

*This article is an adaptation of a 4-part series of Court Leader Vantage Point blog posts (2019):
Risky Business, part one: Who needs “internal control?” Everyone does!—Court Leader
Risky Business, part two: Internal Control—How Do You Do It?—Court Leader
Risky Business, Part three: Practical Example of Internal Financial Controls—Court Leader
Risky Business, part four: Internal Control Resources—Court Leader

  1. Internal Control—Wikipedia.
  2. GAO Standards for Internal Control in the Federal Government – Publication GAO-14-704G (2014) Standards for Internal Control in the Federal Government | U.S. GAO