4 FAH-2 H-220
INTERNAL CONTROLS
(CT:DOH-29; 07-19-2013)
(Office of Origin: CGFS/FPRA/FP)
4 FAH-2 H-221 INTRODUCTION
(CT:DOH-29; 07-19-2013)
a. The internal controls built into the financial
system and those imposed by the Bureau of the
Comptroller and Global Financial Services (CGFS) policy must be effective and reasonable in
regard to the volume of business. The U.S. disbursing officer (USDO) is held
responsible for adherence to internal controls as described in this subchapter
and elsewhere in 4 FAH-2 but may delegate some duties. When the USDO delegates
the duties to subordinates, the USDO must formulate a procedure to ensure that
the delegated tasks are being performed as required. If the presence of key
individuals is a critical element in the process, the USDO must ensure that the
proper individuals, or their alternates, are available for the operation.
b. Failure to observe the internal controls can result
in disciplinary action up to and including dismissal. The USDO should
continually search for ways to improve internal controls within the office.
4 FAH-2 H-222 INTERNAL CONTROLS
AFFECTING PAYMENTS
(CT:DOH-29; 07-19-2013)
a. Entry of financial transactions into the financial
system is restricted to documents that are certified or approved.
b. The USDO should ensure that there is separation of
duties and effective checks and balances for the creation and transmission of
electronic funds transfer (EFT) payments consistent with the EFT software
constraints or capabilities. Employees are authorized access to the systems to
send EFT transfers in accordance with the various security policies.
c. The EFT payments must be documented and reviewed by
the USDO. The documentation must include the requirement that generated the
EFT, the creation of the EFT, evidence of the transmission, and a confirmation
that the EFT was processed by the financial institution.
d. Payments greater than U.S. $1 million or equivalent
must be approved by the USDO.
e. Non-electronic certifying system (ECS) vouchers or
schedules must be examined for certification or USDO approval.
f. For ECS vouchers, the USDO must verify that the
names of the disbursing file authorizers are on file at the CGFS Center and with CGFS/DO prior to accepting and decrypting
batches.
g. The USDO must approve emergency payments.
h. The USDOs at CGFS Charleston
and Bangkok must initially review their respective reports from Treasury and
system-produced reports reflecting the USDO accountability by the 3rd workday
of the month.
i. The check stock custodian should exercise controls
over U.S. Treasury checks while in the process of preparation. The controls
must be designed to protect against loss or theft, to prevent the release of
imperfect checks, and to promptly disclose any discrepancy. The check stock
custodian and the alternate will be the only two employees who have access to
the check stock inventory records.
j. The USDOs perform and document check stock
reconciliations and report the results to the Director of Global Disbursing
Operations on a quarterly basis.
k. Only the check stock custodian and their alternate
shall have the combination to the check stock vault.
l. Two or more persons must participate in the daily
payment cycle.
m. An employee will be appointed to oversee the payment
cycle. The appointed employee will not have access to all the functions
required to perform the payment cycle, including printing checks and creation
of funds transfers.
n. If ECS is not being used, the USDO must use a valid,
Government Accountability Office (GAO)-approved
electronic sampling methodology to check the accuracy and certification of all
payments and to ensure the integrity of the disbursing operations.
4 FAH-2 H-223 INTERNAL CONTROLS
AFFECTING SYSTEMS
(CT:DOH-29; 07-19-2013)
a. A proper separation of duties must exist and be
reflected in the systems access profiles for all CGFS
personnel. Access levels and passwords and/or IDs for all systems will
be under the control of the information systems security officer (ISSO). The
ISSO is responsible for establishing a unique password for each employee.
Employees will not share passwords and/or IDs for information systems or
software. Sharing of password and/or ID is a serious offense subject to
possible disciplinary action. (Sharing is the use of an employees password
and/or ID by another employee or an employee letting another employee use her
or his password and/or ID.) Proprietary bank software programs used to
transfer EFTs that include common passwords that are used by all authorized
users are excluded from this requirement not to share passwords.
b. Systems access within the disbursing module should
be limited. Accounting employees should have access to only the accounting
portion of the financial system.
c. All stand-alone computers used to perform transfers
of funds will be kept in a controlled environment accessible only to those
employees authorized to use the computers.
d. No employee will be authorized to perform the entire
funds transfer process. Programs used to transfer funds are governed by strict
separation of duties. The ISSO will not change access to information systems
or software used to transfer funds without the written approval of the USDO. A
written, signed request will be required and maintained by the ISSO to document
changes.
e. On an annual basis, the USDO, accounting chief,
payroll chief, ISSO, and other officials at the CGFS
Center will review the internal controls for all systems and verify that
systems accesses for all CGFS personnel
support the proper separation of duties. The review must be documented and
sent to the Comptroller and Assistant
Secretary for CGFS.
4 FAH-2 H-224 INTERNAL CONTROLS AFFECTING
ELECTRONIC FUNDS TRANSFER (EFT)
(CT:DOH-29; 07-19-2013)
a. The USDO is responsible for establishing and
maintaining the controls specified in the Fedline Security Policy. The ISSO at
each CGFS Center is the local security
administrator for Fedline operations at the CGFS Center.
b. Following a written request from the USDO, the ISSO
will control and assign local user ID and will coordinate the action required
to obtain a host user code and password for each user from the Federal Reserve
Bank.
c. The Fedline system will be configured so that data
can only be imported into the system. Such input must be from the official
financial system or other duly certified request.
d. No Fedline transactions will be made without
supporting documentation.
e. Each CGFS Center
will establish procedures to document Fedline payments made through the ACH
using the ACDP 23 for Operating System. The Fedline payment confirmation
(which is usually received two hours after the payment is sent) will become a
supporting document for the Fedline payment. An individual who is not involved
in either entering or approving the file will review the Fedline transactions
on a daily basis. All related documents should be maintained as supporting
documentation for the payment.
f. The person performing the Fedline procedure may not
process a payment to their personal account.
g. The USDO will, in cooperation with the ISSO, ensure
that two employees are required to complete the process of importing files into
Fedline and sending the files to the appropriate bank. One employee and an
alternate should be responsible for importing the files into Fedline, and the
USDO and an assistant USDO (as the USDO alternate) should be responsible for
sending the files to the Federal Reserve Bank (FRB).
h. Each USDO will establish written procedures to
protect transmissions via the Society for Worldwide Interbank Financial
Telecommunications (SWIFT), remote check printing, and other forms of EFT.
4 FAH-2 H-225 INTERNAL CONTROLS
AFFECTING OPERATIONS
(TL:DOH-1; 06-13-2001)
The combinations to the check stock vaults and all safes
in the disbursing office must be changed when staff leaves, or once a year.
4 FAH-2 H-226 THROUGH H-229 UNASSIGNED