Skip to Main Content


An image of a padlock

Under Chapter 647 of the Acts of 1989, the Comptroller is responsible for developing internal control guidelines for Commonwealth departments. As the Comptroller’s business owners of internal controls, the Statewide Risk Management Team reviews and updates these guidelines which assist departments in developing Internal Control Plans based on a comprehensive assessment of risks that could impede the attainment of departments’ goals and objectives.  Departments are expected to identify and implement policies and procedures to mitigate risks, especially those related to the prevention of fraud, waste and abuse.

​Departments should familiarize themselves with the documentation and tools for best practices provided in the categories below: overall Guidance for Internal Controls, tools to assist in the prevention and detection of Fraud, Waste and Abuse, best practices for departments receiving federal funds, and the Internal Control Questionnaire, a department’s annual certification as to its compliance with applicable laws, regulations and policies regarding internal controls.

New for FY2024: Internal Control Certification

Starting in Fiscal Year 2024, the Office of the Comptroller (CTR) will require each department head to certify through an annual Internal Control Certification (ICC).

The Internal Control Certification will require each department head to certify annually that they have a system of written internal controls, and that training and monitoring is actively in place as part of daily operations to achieve the department’s mission, to ensure compliance with CTR’s published guidance, and to prevent fraud, waste, and abuse of Commonwealth resources.

Each department’s Internal Control Officer, Single Audit Liaison, Chief Financial Officer and General Counsel should work closely with their senior management team to identify appropriate staff to assist with completion of the required certifications for each of the 15 sections of the ICC. Note that the 15 sections of the ICC match the topic sections listed in PowerDMS. We have also uploaded an “ICC Compliance Checklist” to PowerDMS which enables you to download a listing of all the policies, job aids and training materials that are currently posted on PowerDMS. Departments certify that these materials are included as part of their written internal controls, and training and monitoring are actively in place as part of daily operations.

Departments will have until June 28, 2024 to complete the ICC process, by June 28, 2024.


Guidance From the Office of the Comptroller

COVID-19 Pandemic Response Internal Controls Guidance

Because the COVID-19 Pandemic has affected all departments, the Office of the Comptroller, in consultation with the State Auditor’s Office, is providing two options for updating internal controls.


CTR Cyber

A resource to promote cybersecurity awareness for everyone in your organization, to improve overall cyber hygiene, and to help prevent increasing denial of service (DoS), phishing, malware, and social engineering attacks.


Chapter 647 of the Acts of 1989

Chapter 647

An act relative to improving the internal controls within state agencies


Report Unaccounted for State Property or Funds

State agencies must immediately report to the Office of the State Auditor any lost, stolen, or unaccounted for state property or funds


Other Internal Controls Resources

Association of Government Accountants Enterprise Risk Management Hub

Presentations, research, guidance on implementation, and examples of how Enterprise Risk Management is used in organizations

NASC Internal Control Questionnaires

Guidebook, glossary, and internal control questions from NASC Internal Controls Information Sharing Group


Fraud Prevention


If you have evidence of fraud, waste, or abuse, blow the whistle.

Association of Government Accountants Fraud Prevention Toolkit

AGA's Fraud Prevention Tool provides resources for federal, state, local and tribal government financial managers to use in preventing and detecting fraud.