SECTION OVERVIEW AND POLICIES
Internal Controls Assessment
Title 2, Chapter I, Part 6, Section 6.6 of the New York Codes, Rules and Regulations requires the head of an agency (e.g., Commissioner, Chancellor, Executive Director) to certify to the Comptroller annually, or at any time there is a new head of the agency, that the agency has sufficient internal controls over the payment process to ensure claims are appropriate to pay. Agency heads may use a variety of resources and techniques to obtain assurance about the internal controls over the payment process as a basis for that certification.
- To the extent feasible, separation of duties relating to vendor registration, ordering, receiving and payment functions;
- To the extent feasible, separation of online data entry of claims from claim certification functions; and
- Security over authorized access to agency-controlled systems in the form of operator identification and passwords.
Voucher Authorizer Designation
Section 110 of the State Finance Law requires the head of an agency or a designee to certify or approve the agency’s vouchers and expense reports to the Office of the State Comptroller for audit. To designate an individual other than the agency head to perform this function, the agency must file a written directive with the Office of the State Comptroller. Please see the Voucher Authorizers section below for additional information on this requirement.
Process and Document Preparation:
Annually, each agency head must email a signed certification form to the Office of the State Comptroller to certify internal controls over the:
- payment process, including specific segment(s) or focus area(s) in the subsequent section, Internal Controls Assessment; and
- voucher authorizer designation process.
The agency must complete and retain documentation to support its assessment of internal controls as “Satisfactory,” “Satisfactory with Weaknesses” or “Unsatisfactory.”
Agencies hosted by the Business Services Center (BSC) or another entity are required to certify controls over the portion(s) of the payment process that takes place at the agency. In cases where an agency head oversees more than one agency, the agency head should submit a separate certification form for each agency.
Please refer to the Internal Controls Certification Frequently Asked Questions document for further guidance. For any additional questions, please contact [email protected].
The agency head should use a variety of resources, tools and techniques to obtain evidence to support the Certification of Internal Controls over the Payment Process. These may include internal audit programs, checklists and/or the following programs provided by the Office of the State Comptroller:
Agencies should access reports in the Statewide Financial System’s (SFS) Analytics to obtain data. The Internal Controls Certification Frequently Asked Questions document contains additional guidance about these reports.
2025 Certification
For the certification due by April 30, 2025, in addition to the annual Certification of Internal Controls over the Payment Process, which includes the Voucher Authorizer Certification, each agency will be required to audit the effectiveness of controls over bulkload and voucher mass approval payment processing. Agencies should identify all bulkload and mass approval payment streams and include a list of those payment streams with the certification form.
The agency should perform a risk assessment of its various bulkload and/or mass approved vouchers to determine the audit’s scope, sample and testing plan.
At a minimum, for each method, agencies will be required to determine the following:
Bulkload Vouchers:
- Agency obtained all appropriate support for all payments and followed a process that includes verifying if:
- The vendor provided required documentation,
- Appropriate sign offs are on all relevant documentation.
- The agency followed appropriate procurement procedures and paid for goods and services that were properly received.
- Controls are in place to mitigate duplicate payments and ensure one invoice per voucher.
- Payments meet bulkload processing criteria.
- Agency’s accounting system uses the accounting codes and chart of accounts as stated in the GFO appropriately and accurately.
- Agency ensures payments are properly authorized and has a process that includes verifying that staff who approve a voucher have been authorized by the head of the Agency.
- Agency maintains audit and approval history of vouchers.
- Agency maintains appropriate documentation supporting payment and receipt of goods and services. Documentation should be retained for a period consistent with State Records Retention Laws.
Mass Approval Vouchers:
- Agency obtained all appropriate support for all payments and followed a process that includes verifying if:
- The vendor provided all required documentation,
- Appropriate sign offs on all relevant documentation.
- Agency ensured all payments were accurate and only paid for goods and services received for both contract and non-contract procurements.
- Controls are in place to ensure only approved payment streams are included in the mass approval process.
- Agency received OSC approval to submit payments through mass approval prior to submission.
- Controls are in place to mitigate duplicate payments and ensure one invoice per voucher.
- Payments meet all criteria for approved mass approval payment streams.
- Agency reviewed all user’s financial system roles to determine if there is adequate separation of duties.
- The mass approver role in SFS is granted to appropriate individuals.
- Agency maintains appropriate documentation supporting payment and receipt of goods and services. Documentation should be retained for a period consistent with State Records Retention Laws.
To assist the agency’s audit objectives and testing, please see the “Bulkload and Mass Approval” audit program included within the Internal Controls Assessment of this GFO Section.
If the agency does not have bulkload or mass approval payments to audit, the agency should perform a risk assessment of its business processes and select another area for audit. Audit Programs from previous certifications are available for use.
2026 Certification
For the certification due by April 30, 2026, in addition to the annual Certification of Internal Controls over the Payment Process, which includes the Voucher Authorizer Certification, each agency will be required to audit the effectiveness of controls over SFS attachments and record retention.
Voucher Authorizers
Voucher authorizers are individuals authorized to certify or approve vouchers or expense reports as just, true and correct and, therefore, appropriate to pay. In accordance with Chapter XII, Section 4.B - Certification of Vouchers, annually, or upon change of the agency head, each agency should file its voucher authorizers and designees with the Office of the State Comptroller by completing the Voucher Authorizer Certification. This includes auditing the effectiveness of controls over the process to designate voucher authorizers. The agency should also file the positions each of its designees hold on Attachment A of the certification form.
Agencies that authorize another agency (e.g., Office of General Services’ BSC) to approve vouchers for submission to the Office of the State Comptroller must complete the Hosted Agencies section on Attachment A of the certification form to indicate the delegation of authority to the host agency.
- Agencies will be required to determine the effectiveness of controls over the voucher authorizer designation process. This includes testing a sample of transactions to ensure policies are being followed appropriately. The agency’s testing must include, but not be limited to, determining whether the agency has documented:
- Relevant policies and procedures to coincide with SFS policies over user access and role assignments, or the policies of the applicable financial management system for bulkload agencies, if applicable.
- That those responsible for performing voucher authorizer updates, (e.g., agency security administrators, security designees) implemented them appropriately.
There are several resources in SFS to identify voucher authorizers. For example, queries are available for online agencies to obtain a list of (i) users with roles that allow them to approve vouchers and expense reports, and (ii) historical role changes by user. Information about queries can be found in SFS Coach.
Agencies that bulkload vouchers and expense reports into SFS will need to identify the corresponding role(s) in their financial management systems and obtain the needed data from within their agency’s system.
For additional guidance on voucher authorizers, please see GFO Chapter XII, Section 4.B – Certification of Vouchers and Chapter XIII, Section 2.C - Expense Report Certification.
Guide to Financial Operations
REV. 03/03/2025