Metro-North Railroad Internal Control System

2011 Manual

Questions about Internal Controls?Contact Metro-North’s Internal Control Officer:Nate Gilbertson, Deputy Director, Corporate Compliance & Strategic Developmentgilbertson@mnr.org or 212-340-2197

v2 09.12.2011

ICS Manual – Slide 2

Internal Controls at Metro-NorthInternal Control is defined as:The integration of activities, plans, attitudes, policies, and efforts of the people of an organization working together to provide reasonableassurance that the organization will achieve its objectives and mission.It is a process performed by people and is the responsibility of all employees.

The Purpose of Internal Controls are to:• Promote orderly, economical, efficient and effective operations, and

produce quality products and services consistent with the organization’s mission.

• Safeguard resources against loss due to waste, abuse, mismanagement, errors and fraud.

• Promote adherence to laws, regulations, contracts and management directives.

• Develop and maintain reliable financial and management data, and accurately present that data in timely reports.

Click here for President Permut’s Annual Memo on Internal Controls.

ICS Manual – Slide 3

• User ID is your Employee ID Number• Password is your regular LAN password• 2011 Internal Control Reviews are due by December 15, 2011

Click here for Internal Control Terms & Definitions.

Log-in to the Internal Control System http://www.mnr.org/ics/menu.cfm

ICS Manual – Slide 4

• Coordinators copy (“clone”) prior year’s Business Activities by clicking on “CLONE Business Activity” button.

• If your Department needs to switch Coordinators, contact Nate Gilbertson at gilbertson@mnr.org or 212-340-2197.

Step 1: Coordinators Clone Business Activities

ICS Manual – Slide 5

Step 1 Continued: Coordinators Review, Add, Edit & Delete Business Activities

• Based on a Departmental review of current Business Activities, Coordinators may need to Add new or Edit/Delete existing Business Activities using these buttons on the main menu (editing here only refers to editing the title of the activity—editing information in the Forms comes later).

ICS Manual – Slide 6

Step 2: Coordinators Assign & Email Initiators

• Coordinators check a pre-populated list of Initiators (who perform Risk Assessments) from the prior year’s activities and re-assign to the appropriate person as necessary – do not change the date last completed. If a Business Activity is new, choose an Initiator from the drop-down menu.

• Initiators must be familiar enough with the Business Activities to responsibly assign risk levels. Click the “Save & Email Initiators” button and an automatic email will prompt Initiators to complete Risk Assessments.

ICS Manual – Slide 7

Important Reminder: Risk Assessments Must Be Completed

EVERY Year for EVERY Business Activity

• Risk Assessments must be performed EVERY year for EVERY Business Activity—even if the activity is not due for a full review this year.

• In order for Reviewers to be able to do their work (completing the online Internal Control Forms), the following must be completed:– Initiators complete all Risk Assessments;– Coordinators approve all Risk Assessments and an automatic

email is sent to Department Head; and– Department Head approves all Risk Assessments.

ICS Manual – Slide 8

Main Menu Tip for Coordinators, Initiators and Reviewers

• The “Process/View IC Reports” button on the Main Menu takes you to the status screen where Coordinators, Initiators and Reviewers will see a listing of their Business Activities and be able to perform their work. This is the primary button to use throughout the process.

• The other 2 buttons provide options for viewing certain Business Activities and/or reports for current and prior year activities. These are used much less often.

• The “HOME” button on any other screen will always bring you back to this Main Menu screen.

ICS Manual – Slide 9

Step 3: Initiators Assign Reviewer & Risk Levels

• Initiators assign the Sub-Department, Reviewer and Risk Levels (see next slide) for each Business Activity.

• Reviewers are the people responsible for completing the Internal Control Reviews using the online Forms (they do most of the real work!).

ICS Manual – Slide 10

The “Overall Risk” level assigned to each Business Activitydetermines how often it must be tested and reviewed:

Risk Level Review CycleVery High Annually (i.e. 2010, 2011, 2012, etc.)High Every 2 years (i.e. 2007, 2009, 2011, etc.)Moderate Every 3 years (i.e. 2007, 2010, 2013, etc.)Low Every 4 years (i.e. 2003, 2007, 2011, etc.)

Click here for more information on Risk Assessments and assigningRisk Levels.

Step 3: Initiators Assign Reviewer & Risk Levels

ICS Manual – Slide 11

Step 4: Coordinators Review & Approve All Risk Assessments

• Once Initiators complete all Risk Assessments, Coordinators go to “Process/View IC Reports” from the Main Menu to access the Status Screen and Approve all Risk Assessments.

• The “Approve” button must be clicked for each Business Activity (continued on next slide).

ICS Manual – Slide 12

Step 4 Continued: Coordinators Select & Email Department Heads for Review & Approval of Risk Assessments

• Once all Risk Assessments are approved, a drop-down menu will appear and Coordinators then select their Department Head from the list. All Business Activities must be included prior to Department Head approval. No new Business Activities can be added once the Department Head approves the Risk Assessments for the year.

• An automatic email will prompt the Department Head to approve all Risk Assessments.

• Department Heads must approve all Risk Assessments prior to Reviewers starting their work. Once Department Heads approve all Risk Assessments, an automatic email notifies all Reviewers that they can begin editing and completing the online Forms.

ICS Manual – Slide 13

Step 5: Reviewers Review & Edit Forms

• Reviewers go to “Process/View IC Reports” from main menu to access the Status Screen for a listing of their Business Activities.

• Click on the HIGHLIGHTED name of each Business Activity in order to review and edit the online Forms.

• Not all Business Activities are due for review every year. If the year listed in the “NEXT REVIEW” column is 2011, it is due for review.

ICS Manual – Slide 14

Step 5: Reviewers Review & Edit Forms • Reviewers must click on each of their Business Activities. Reviewers will

see 1 of 3 different screens based on whether or not a Business Activity is due for review and whether or not information on this Business Activity has been entered into the ICS in a prior year.

• 1) Business Activity NOT due for review. Reviewers will see the screen that includes a green “ICR Not Due this Year” button. Reviewers must click on this button to close out this activity for the year. No further action is required for activities that are not due.

ICS Manual – Slide 15

Step 5: Reviewers Review & Edit Forms

• 2) Business Activity IS due for review – AND information on this Business Activity has been entered into the ICS in a prior year. Reviewers will see this screen indicating a Report has already been created. Reviewers click “Yes” to view the 1st Form, which is the Documentation of Activity Cycles Form. It will display all the information already entered into the system from a prior year (see slide 18 to see the completed Form).

• With Business Activities that have been reviewed online in a prior year, Reviewers will see the screen above prior to each Form loading. Reviewers must click “YES” to copy the information into the current Form from the prior year.

ICS Manual – Slide 16

Step 5: Reviewers Review & Edit Forms

• 3) Business Activity IS due for review – AND it is a new Business Activity or is a Business Activity which has never been reviewed using the online system. Reviewers will see this screen with blank boxes which need to be filled in (continued on next slide).

ICS Manual – Slide 17

Step 5: Reviewers Review & Edit Forms

• When entering data into a Form for the first time, each step is entered separately. A sequential number is assigned to each step once all required fields on the screen are filled in and the “SAVE” button is clicked on (see next slide).

ICS Manual – Slide 18

Click on # to edit text or delete step

Step 5: Reviewers Review & Edit Forms

Click this button to add another step Click this button to

go to the next Form

• Reviewers should review and edit descriptions of the Process/Procedure to ensure they describe and reflect actual Departmental practices.

ICS Manual – Slide 19

Step 5: Reviewers Review & Edit Forms

• The 2nd Form describes Control Objectives and Techniques. The Reviewer evaluates the Control Objectives and Techniques and makes a determination of the strength of each technique. How well does the particular Control Technique accomplish the Control Objective?

• If a Control Technique is determined to be weak in terms of its ability to accomplish the Control Objective, a Corrective Action Plan (CAP) may be needed (see slide 22).

ICS Manual – Slide 20

• Testing of Internal Controls is a critically important step.• Testing determines the extent to which staff follow prescribed

policies and procedures in actual practice--it compares procedures as executed against required or expected procedures.

• Testing provides objective evidence on how well controls are executed. It shows us if we are actually doing what we think or say we are doing.

• Testing is performed outside of the online system and must be done prior to completing the online Test of Controls Form.

• Tests should be performed by someone other than the person responsible for the Business Activity.

• Testers should document and keep testing methods and results on file. These are needed for auditing purposes.

• Coordinators should review test methods and results, as they are responsible for ensuring that the testing of controls is being performed on Business Activities they are responsible for.

Click here for additional information and guidance on Testing.

Step 6: Testers Conduct Testing

ICS Manual – Slide 21

Step 6 Continued: Reviewers Input Test Results to Determine if a Corrective Action Plan is Necessary

• The 3rd Form is the Test of Internal Controls Form.• Click on the highlighted number or the YES or NO to edit and/or change

results from YES to NO or NO to YES.• The default answer to the functioning and adequate questions is YES.

ICS Manual – Slide 22

Step 6 Continued: Reviewers Input Test Results to Determine if a Corrective Action Plan is Necessary

• If test results show that all control techniques are functioning and adequate (all “YES” answers) – click the “All Forms Processed” button since no Corrective Action Plan is necessary. An automatic email will notify the Coordinator that all Forms are complete.

• If the answer to any functioning and/or adequate question is “NO,” a Corrective Action Plan Form must be filled out – click on “Corrective Action Plan?” button. Click here only if there is a “NO” answer or if a weakness was identified earlier in the review (slide 19).

ICS Manual – Slide 23

• Corrective Action Plans (CAPs) are only needed if test results show that a particular control is not working as intended or a weakness is identified in the review of Control Objectives and Techniques. Typically, the majority of Business Activities will NOT have CAPs.

• If a Corrective Action Plan is necessary, Reviewers need to work with Department staff to identify and describe what will be done to correct the problem or weakness.

• A Person Responsible for implementing the recommended actions must be named. An estimated date of when corrective actions will be implemented must also be listed on the Corrective Action Plan Form.

• All CAPs must be approved by the Coordinator and then the Department Head prior to Coordinator being able to complete and approve all of their Internal Control Reviews for the year.

Step 6 Continued: Reviewers Complete CAPs & Coordinators & Department Heads Approve CAPs

ICS Manual – Slide 24

Step 7: Coordinators & Department Heads Approve All Internal Control Reviews

• Coordinators review and approve Internal Control Reviews (all Forms) for all Business Activities. Again, all Approve buttons must be clicked on in order for Coordinators to close out their work.

• Once all ICRs are approved, Coordinators click on “All ICRs Approved for the Year” button. A final message will appear notifying Coordinators that all ICRs are completed.

• Coordinators must then notify their Administrator, so the Department Head can certify completion for the year (see next slide).

ICS Manual – Slide 25

• Once all Coordinators for the Department have completed all ICRs, the Administrator emails the Department Head to complete the Certification Form by clicking on the “Certification Form” button.

• The Department Head then reviews and approves all ICRs.• Department Heads who report to a Vice President must also have

their Vice President complete a Certification Form.• Once all Department Heads and Vice Presidents have certified and

the Internal Control Officer prepares Metro-North’s 2011 Internal Control Report, President Permut signs the final certification. It is submitted to MTA along with the other MTA Agencies, signed by the MTA Chairman, and then submitted to New York State.

Step 7 Continued: Administrators Email Department Heads for Certification