Internal Controls

Internal Controls Overview

Security and Internal Controls for Stored Value Cards

The federal entity must establish and implement policies governing security and internal controls with respect to its SVC program in conformance with Government-wide and Treasury policies and procedures. The federal entity must establish and implement controls to protect against:

  • Loss, theft, and fraudulent or unauthorized use of SVC equipment, card stock inventories, preprinted forms, and other items used to access SVC systems, when such items are within the custody and control of the federal entity,
  • Loss, theft, and fraudulent or unauthorized disclosure of PINs, when PINs are within the custody and control of the federal entity,
  • Loss, theft, and fraudulent or unauthorized use of SVCs and SVC hardware in the custody and control of the federal entity or its contractor's illegal use of the card as a money-laundering vehicle,
  • Fraudulent or unauthorized use of on-line or off-line SVC software under its control, and
  • Other losses caused by theft or fraudulent or unauthorized activities in the federal entity’s implementation of the SVC program.

The federal entity’s procedures must include a process for promptly reporting, and for educating SVC holders on how to promptly report, to Treasury or Treasury’s financial or fiscal agent any loss, theft, or fraudulent or unauthorized use of SVC cards, PINs, passwords, or other security breach or malfunction involving the SVC program.

The federal entity must implement an internal audit process to review and recommend internal controls and safeguards with respect to its SVC program in conformance with Government-wide and the minimum Treasury policies and procedures. Periodically, Treasury and the federal entity review and update the criteria upon which the audit reviews are based.

For more information about security and internal controls see TFX Payment Mechanisms/Stored Value Cards or TFM Volume I, Part 4, Chapter 9000; Stored Value Cards (SVCs)

Internal Controls and Communications for the Lockbox Depository

The Lockbox Depositary shall:

Provide its employees and subcontractors with proper supervision, quality control, and training for accurate and timely compliance with the requirements of the DFA.

Conduct, at least quarterly, briefings with managerial and operational staff to review all security requirements identified under the DFA.

Reconcile billing inquiries with monthly account analysis statements for all services performed within 30 calendar days and immediately notify Fiscal Service in writing of any adjustments to be made.

Inform Fiscal Service of any requests for changes made by the agency relating to performance of the DFA.

Control the flow of work from the time it is received until it has been fully processed in compliance with the production, security, and quality requirements of the DFA.

Report deposits, transfer funds, and perform Lockbox Bank Management reporting in accordance with the procedures in this chapter.

Identify customer service representatives for technical or production concerns and financial matters.

Maintain a log of all cash and checks with blank payee lines received at the Lockbox (unless otherwise prescribed in an MOU).

Follow all audit guidelines written in the Lockbox Depositary's DFA and MOU as currently constituted or amended.

Maintain a log of security situations (access violations, problems with delivery of mail, etc.) that occur, procedures applied to remedy the situation, or new procedures implemented.

For more information about Internal Controls and Communication visit TFM Volume III, Part 2, Chapter 2000; Deposits in Lockbox Accounts at Authorized Domestic Depositaries (T/L 3)

Federal Financial Management Standards

Functions and Activities

Internal Control/ Compliance Reviews (FFM.110.050)

Implement standard internal control and compliance assurance procedures;

Provide documentation to satisfy “Prepared by Client” requests from auditors;

Prepare cycle memos;

Provide sample information and documentation for compliance with other guidance, such as OMB Circular A-123; Record adjustments based on audit findings

Federal Financial Management System Requirements (FFMSR)

Verifying Traceability (2.3.2)

Verify that GL account balances can be traced to aggregated or discrete transactions in agency programmatic systems and that the aggregated or discrete transactions can be traced to the point of entry and source documents consistent with the TFM.

Verify that financial statements and other required financial and budget reports can be traced to GL account balances as required by OMB Circular No. A-123 and as specified in the TFM.

Use Cases

Procure to Pay

Treasury Financial Manual (TFM)

TFM Volume I, Part 4, Chapter 9000; Stored Value Cards (SVCs)

TFM Volume III, Part 2, Chapter 2000; Deposits in Lockbox Accounts at Authorized Domestic Depositaries (T/L 3)

Contact Information

Contact Details

Direct inquiries concerning this chapter and stored value card programs to:

Attn: Nadir Isfahani
Bureau of the Fiscal Service
Department of the Treasury

3201 Pennsy Drive, Building E
Landover, MD 20785

202-874-5215

For additional information on SVCs, visit the following websites:

Bureau of the Fiscal Service

Stored Value Card

EZpay

EagleCash

NavyMarineCash

Direct inquiries regarding the Treasury Lockbox Network to:

Department of the Treasury
Bureau of the Fiscal Service
Revenue and Remittance Management Division

3201 Pennsy Drive, Building E
Landover, MD 20785

202-874-6892

lifecycle-visual
Auditing Payments

This page was last updated on May 05, 2021.