Transcription
United States Government Accountability OfficeBy the Comptroller General of theUnited StatesSeptember 2014GAO-14-704GStandards forInternal Controlin the FederalGovernment
What is the Green Book and how is it used?Important facts and concepts related to the Green Book and internal controlInternal control and the Green BookHow does an entity use the Green Book?What is internal control?Internal control is a process used by management to help anentity achieve its objectives.ObjectiveidentifiedHow does internal control work?A programmanager at afederal agencyThecubeesgori sCatebjectivesof otionraControlirontentActivitieInfsCoomrmatiomun n visionConEnvOperating unitRiskgortinceplianComRepA compliance officerresponsible for makingsure that personnel havecompleted requiredtrainingLevels oforganizational structureOpeCominter ponennal c ts ofontrolControl Environment5 principlesInspector general staffconducting a financial orperformance auditAn independent public accountantconducting an audit of expendituresof federal dollars to state agenciesThe standards in theGreen Book are organizedby the five components of internalcontrol shown in the cube below. The fivecomponents apply to staff at all organizationallevels and to all categories of objectives.Each of the fivecomponents of internalcontrol contains severalprinciples. Principles are therequirements of each component.ObjectiveachievedWho would use the Green Book?How is the Green Book related tointernal control?PrinciplesControlsin placeAn entity uses the Green Book to design, implement, andoperate internal controls to achieve its objectives related tooperations, reporting, and compliance.Internal control helps an entityRun its operations efficiently and effectivelyReport reliable information about its operationsComply with applicable laws and regulationsStandards for Internal Control in theFederal Government, known as theGreen Book, sets internal controlstandards for federal entities.ControlsdesignedPagestructureGreen Book pagesshow components, principles,and attributes.Control EnvironmentComponentRisk Assessment4 principlesPrincipleControl Activities3 principlesPrinciple 1 DemonstrateCommitment toIntegrity and EthicalValuesMonitoring2 principlesAttributesThe following attributes contribute to the design, implementation, andoperating effectiveness of this principle: Tone at the TopInformation and Communication3 principles1.01 The oversight body and management should demonstrate acommitment to integrity and ethical values.AttributesTone at the TopStandards of ConductAdherence to Standards of Conduct1.02 The oversight body and management demonstrate the importancintegrity and ethical values through their directives, attitudes, andbehavior.1.03 The oversight body and management lead by an example thatdemonstrates the organization’s values, philosophy, and operating style.The oversight body and management set the tone at the top andthroughout the organization by their example, which is fundamental to aneffective internal control system. In larger entities, the various layers ofmanagement in the organizational structure may also set “tone in themiddle.”1.04 The oversight body’s and management’s directives, attitudes, andbehaviors reflect the integrity and ethical values expected throughout theentity. The oversight body and management reinforce the commitment todoing what is right, not just maintaining a minimum level of performancenecessary to comply with applicable laws and regulations, so that thesepriorities are understood by all stakeholders, such as regulators,employees, and the general public.AttributesEach principle has important characteristics, called attributes,which explain principles in greater detail.1.05 Tone at the top can be either a driver, as shown in the precedingparagraphs, or a barrier to internal control. Without a strong tone at thetop to support an internal control system, the entity’s risk identificationmay be incomplete, risk responses may be inappropriate, controlactivities may not be appropriately designed or implemented, informationand communication may falter, and results of monitoring may not beunderstood or acted upon to remediate deficiencies.Page 22Sources: GAO and COSO.GAO.GOV/GREENBOOKGAO-14-704G Federal Internal ControlGAO-14-704G
ContentsOverview1ForewordHow to Use the Green BookSection 1 - Fundamental Concepts of Internal ControlDefinition of Internal ControlDefinition of an Internal Control SystemSection 2 - Establishing an Effective Internal Control SystemPresentation of StandardsComponents, Principles, and AttributesInternal Control and the EntityRoles in an Internal Control SystemObjectives of an EntitySection 3 - Evaluation of an Effective Internal Control SystemFactors of Effective Internal ControlEvaluation of Internal ControlSection 4 - Additional ConsiderationsService OrganizationsLarge versus Small EntitiesBenefits and Costs of Internal ControlDocumentation RequirementsUse by Other EntitiesControl ple 1 - Demonstrate Commitment to Integrity and EthicalValuesTone at the TopStandards of ConductAdherence to Standards of ConductPrinciple 2 - Exercise Oversight ResponsibilityOversight StructureOversight for the Internal Control SystemInput for Remediation of DeficienciesPrinciple 3 - Establish Structure, Responsibility, and AuthorityOrganizational StructureAssignment of Responsibility and Delegation of AuthorityDocumentation of the Internal Control SystemPrinciple 4 - Demonstrate Commitment to CompetenceExpectations of CompetenceRecruitment, Development, and Retention of IndividualsSuccession and Contingency Plans and PreparationPrinciple 5 - Enforce AccountabilityPage i2222232324242627272728293030313132GAO-14-704G Federal Internal Control Standards
Enforcement of AccountabilityConsideration of Excessive PressuresRisk Assessment323334Principle 6 - Define Objectives and Risk TolerancesDefinitions of ObjectivesDefinitions of Risk TolerancesPrinciple 7 - Identify, Analyze, and Respond to RisksIdentification of RisksAnalysis of RisksResponse to RisksPrinciple 8 - Assess Fraud RiskTypes of FraudFraud Risk FactorsResponse to Fraud RisksPrinciple 9 - Identify, Analyze, and Respond to ChangeIdentification of ChangeAnalysis of and Response to ChangeControl Activities353536373738394040414142424344Principle 10 - Design Control ActivitiesResponse to Objectives and RisksDesign of Appropriate Types of Control ActivitiesDesign of Control Activities at Various LevelsSegregation of DutiesPrinciple 11 - Design Activities for the Information SystemDesign of the Entity’s Information SystemDesign of Appropriate Types of Control ActivitiesDesign of Information Technology InfrastructureDesign of Security ManagementDesign of Information Technology Acquisition, Development,and MaintenancePrinciple 12 - Implement Control ActivitiesDocumentation of Responsibilities through PoliciesPeriodic Review of Control ActivitiesInformation and le 13 - Use Quality InformationIdentification of Information RequirementsPage ii5959GAO-14-704G Federal Internal Control Standards
Relevant Data from Reliable SourcesData Processed into Quality InformationPrinciple 14 - Communicate InternallyCommunication throughout the EntityAppropriate Methods of CommunicationPrinciple 15 - Communicate ExternallyCommunication with External PartiesAppropriate Methods of CommunicationMonitoring595960606162626364Principle 16 - Perform Monitoring ActivitiesEstablishment of a BaselineInternal Control System MonitoringEvaluation of ResultsPrinciple 17 - Evaluate Issues and Remediate DeficienciesReporting of IssuesEvaluation of IssuesCorrective Actions6565656667676868Appendix IRequirements70Appendix IIAcknowledgments73Comptroller General’s Advisory Council on Standards for InternalControl in the Federal Government (2013-2015)GAO Project TeamStaff Acknowledgments737474Glossary75FiguresFigure 1: Green Book Sample PageFigure 2: Achieving Objectives through Internal ControlFigure 3: The Five Components and 17 Principles of InternalControlFigure 4: The Components, Objectives, and OrganizationalStructure of Internal ControlPage iii45910GAO-14-704G Federal Internal Control Standards
Figure 5: The 17 Principles Supporting the Five Components ofInternal ControlFigure 6: Examples of Common Categories of Control Activities1146This is a work of the U.S. government and is not subject to copyright protection in theUnited States. The published product may be reproduced and distributed in its entiretywithout further permission from GAO. However, because this work may containcopyrighted images or other material, permission from the copyright holder may benecessary if you wish to reproduce this material separately.Page ivGAO-14-704G Federal Internal Control Standards
OverviewForewordPolicymakers and program managers are continually seeking ways toimprove accountability in achieving an entity’s mission. A key factor inimproving accountability in achieving an entity’s mission is to implementan effective internal control system. An effective internal control systemhelps an entity adapt to shifting environments, evolving demands,changing risks, and new priorities. As programs change and entities striveto improve operational processes and implement new technology,management continually evaluates its internal control system so that it iseffective and updated when necessary.Section 3512 (c) and (d) of Title 31 of the United States Code (commonlyknown as the Federal Managers’ Financial Integrity Act (FMFIA)) requiresthe Comptroller General to issue standards for internal control in thefederal government. Standards for Internal Control in the FederalGovernment (known as the Green Book), provide the overall frameworkfor establishing and maintaining an effective internal control system.Office of Management and Budget (OMB) Circular No. A-123 providesspecific requirements for assessing and reporting on controls in thefederal government. The term internal control in this document covers allaspects of an entity’s objectives (operations, reporting, and compliance).The Green Book may also be adopted by state, local, and quasigovernmental entities, as well as not-for-profit organizations, as aframework for an internal control system. Management of an entitydetermines, based on applicable laws and regulations, how toappropriately adapt the standards presented in the Green Book as aframework for the entity.The Committee of Sponsoring Organizations of the TreadwayCommission (COSO) updated its internal control guidance in 2013 withthe issuance of a revised Internal Control - Integrated Framework. 1COSO introduced the concept of principles related to the five componentsof internal control. The Green Book adapts these principles for agovernment environment.1See Committee of Sponsoring Organizations of the Treadway Commission, InternalControl - Integrated Framework (New York: American Institute of Certified PublicAccountants, 2013).Page 1GAO-14-704G Federal Internal Control Standards
OverviewThe standards are effective beginning with fiscal year 2016 and theFMFIA reports covering that year. Management, at its discretion, mayelect early adoption of the Green Book.This revision of the standards has gone through an extensive deliberativeprocess, including public comments and input from the ComptrollerGeneral’s Advisory Council on Standards for Internal Control in theFederal Government. The advisory council consists of about 20 experts infinancial and performance management drawn from federal, state, andlocal government; the private sector; and academia. The views of allparties were thoroughly considered in finalizing the standards.I appreciate the efforts of government officials, public accountingprofessionals, and other members of the audit and academiccommunities who provided valuable assistance in developing thesestandards. I extend special thanks to the members of the AdvisoryCouncil on Standards for Internal Control in the Federal Government fortheir extensive input and feedback throughout the entire process ofdeveloping and finalizing the standards.Gene L. DodaroComptroller Generalof the United StatesSeptember 2014Page 2GAO-14-704G Federal Internal Control Standards
OverviewHow to Use theGreen BookThe Green Book provides managers criteria for designing, implementing,and operating an effective internal control system. The Green Bookdefines the standards through components and principles and explainswhy they are integral to an entity’s internal control system. The GreenBook clarifies what processes management considers part of internalcontrol. In a mature and highly effective internal control system, internalcontrol may be indistinguishable from day-to-day activities personnelperform.The Green Book is structured as follows:1. An Overview, which includes the following sections: Section 1: an overview of the fundamental concepts of internalcontrolSection 2: a discussion of internal control components, principles,and attributes; how these relate to an entity’s objectives; and thethree categories of objectivesSection 3: a discussion of the evaluation of the entity’s internalcontrol system’s design, implementation, and operationSection 4: additional considerations that apply to all componentsin an internal control system2. A discussion of the requirements for each of the five components and17 principles as well as discussion of the related attributes, includingdocumentation requirements.The Green Book clearly indicates the component and principlerequirements through the use of “must” and “should.” Further discussionof these requirements is included in section 2 of the Overview.Documentation requirements are summarized in section 4 of theOverview.Figure 1 depicts a sample page from the Green Book. This illustrationidentifies the components, principles, and attributes of the Green Book,which are further discussed in section 2 of the Overview.Page 3GAO-14-704G Federal Internal Control Standards
OverviewFigure 1: Green Book Sample PagePage 4GAO-14-704G Federal Internal Control Standards
OverviewSection 1 FundamentalConcepts of InternalControlDefinition of InternalControlOV1.01 Internal control is a process effected by an entity’s oversightbody, management, and other personnel that provides reasonableassurance that the objectives of an entity will be achieved (see fig. 2).These objectives and related risks can be broadly classified into one ormore of the following three categories: Operations - Effectiveness and efficiency of operationsReporting - Reliability of reporting for internal and external useCompliance - Compliance with applicable laws and regulationsFigure 2: Achieving Objectives through Internal ControlOV1.02 These are distinct but overlapping categories. A particularobjective can fall under more than one category, can address differentneeds, and may be the direct responsibility of different individuals.OV1.03 Internal control comprises the plans, methods, policies, andprocedures used to fulfill the mission, strategic plan, goals, and objectivesof the entity. Internal control serves as the first line of defense insafeguarding assets. In short, internal control helps managers achievedesired results through effective stewardship of public resources.Definition of an InternalControl SystemOV1.04 An internal control system is a continuous built-in component ofoperations, effected by people, that provides reasonable assurance, notabsolute assurance, that an entity’s objectives will be achieved.Page 5GAO-14-704G Federal Internal Control Standards
OverviewOV1.05 Internal control is not one event, but a series of actions that occurthroughout an entity’s operations. Internal control is recognized as anintegral part of the operational processes management uses to guide itsoperations rather than as a separate system within an entity. In thissense, internal control is built into the entity as a part of the organizationalstructure to help managers achieve the entity’s objectives on an ongoingbasis.OV1.06 People are what make internal control work. Management isresponsible for an effective internal control system. As part of thisresponsibility, management sets the entity’s objectives, implementscontrols, and evaluates the internal control system. However, personnelthroughout an entity play important roles in implementing and operatingan effective internal control system.OV1.07 An effective internal control system increases the likelihood thatan entity will achieve its objectives. However, no matter how welldesigned, implemented, or operated, an internal control system cannotprovide absolute assurance that all of an organization’s objectives will bemet. Factors outside the control or influence of management can affectthe entity’s ability to achieve all of its objectives. For example, a naturaldisaster can affect an organization’s ability to achieve its objectives.Therefore, once in place, effective internal control provides reasonable,not absolute, assurance that an organization will achieve its objectives.Section 2 Establishing anEffective InternalControl SystemPresentation of StandardsOV2.01 The Green Book defines the standards for internal control in thefederal government. FMFIA requires federal executive branch entities toestablish internal control in accordance with these standards. Thestandards provide criteria for assessing the design, implementation, andoperating effectiveness of internal control in federal government entitiesto determine if an internal control system is effective. Nonfederal entitiesPage 6GAO-14-704G Federal Internal Control Standards
Overviewmay use the Green Book as a framework to design, implement, andoperate an internal control system. 2OV2.02 The Green Book applies to all of an entity’s objectives:operations, reporting, and compliance. However, these standards are notintended to limit or interfere with duly granted authority related tolegislation, rulemaking, or other discretionary policy making in anorganization. In implementing the Green Book, management isresponsible for designing the policies and procedures to fit an entity’scircumstances and building them in as an integral part of the entity’soperations.Components, Principles,and AttributesOV2.03 An entity determines its mission, sets a strategic plan,establishes entity objectives, and formulates plans to achieve itsobjectives. Management, with oversight from the entity’s oversight body,may set objectives for an entity as a whole or target activities within theentity. Management uses internal control to help the organization achievethese objectives. While there are different ways to present internalcontrol, the Green Book approaches internal control through ahierarchical structure of five components and 17 principles. The hierarchyincludes requirements for establishing an effective internal controlsystem, including specific documentation requirements.OV2.04 The five components represent the highest level of the hierarchyof standards for internal control in the federal government. The fivecomponents of internal control must be effectively designed,implemented, and operating, and operating together in an integratedmanner, for an internal control system to be effective. The fivecomponents of internal control are as follows: Control Environment - The foundation for an internal control system.It provides the discipline and structure to help an entity achieve itsobjectives.Risk Assessment - Assesses the risks facing the entity as it seeks toachieve its objectives. This assessment provides the basis fordeveloping appropriate risk responses.2See para. OV4.10 for further discussion on use by other entities.Page 7GAO-14-704G Federal Internal Control Standards
Overview Control Activities - The actions management establishes throughpolicies and procedures to achieve objectives and respond to risks inthe internal control system, which includes the entity’s informationsystem.Information and Communication - The quality informationmanagement and personnel communicate and use to support theinternal control system.Monitoring - Activities management establishes and operates toassess the quality of performance over time and promptly resolve thefindings of audits and other reviews.OV2.05 The 17 principles support the effective design, implementation,and operation of the associated components and represent requirementsnecessary to establish an effective internal control system.OV2.06 In general, all components and principles are relevant forestablishing an effective internal control system. In rare circumstances,there may be an operating or regulatory situation in which managementhas determined that a principle is not relevant for the entity to achieve itsobjectives and address related risks. If management determines that aprinciple is not relevant, management supports that determination withdocumentation that includes the rationale of how, in the absence of thatprinciple, the associated component could be designed, implemented,and operated effectively. In addition to principle requirements, the GreenBook contains documentation requirements.OV2.07 The Green Book contains additional information in the form ofattributes. These attributes are intended to help organize the applicationmaterial management may consider when designing, implementing, andoperating the associated principles. Attributes provide further explanationof the principle and documentation requirements and may explain moreprecisely what a requirement means and what it is intended to cover, orinclude examples of procedures that may be appropriate for an entity.Attributes may also provide background information on mattersaddressed in the Green Book.OV2.08 Attributes are relevant to the proper implementation of the GreenBook. Management has a responsibility to understand the attributes andexercise judgment in fulfilling the requirements of the standards. TheGreen Book, however, does not prescribe how management designs,implements, and operates an internal control system.Page 8GAO-14-704G Federal Internal Control Standards
OverviewOV2.09 Figure 3 lists the five components of internal control and 17related principles.Figure 3: The Five Components and 17 Principles of Internal ControlInternal Control and theEntityOV2.10 A direct relationship exists among an entity’s objectives, the fivecomponents of internal control, and the organizational structure of anentity. Objectives are what an entity wants to achieve. The fivecomponents of internal control are what are required of the entity toachieve the objectives. Organizational structure encompasses theoperating units, operational processes, and other structures managementPage 9GAO-14-704G Federal Internal Control Standards
Overviewuses to achieve the objectives. This relationship is depicted in the form ofa cube developed by COSO (see fig. 4). 3Figure 4: The Components, Objectives, and Organizational Structure of InternalControlOV2.11 The three categories into which an entity’s objectives can beclassified are represented by the columns labeled on top of the cube. Thefive components of internal control are represented by the rows. Theorganizational structure is represented by the third dimension of the cube.OV2.12 Each component of internal control applies to all three categoriesof objectives and the organizational structure. The principles support thecomponents of internal control (see fig. 5).3See paras. 3.02 through 3.05 for further discussion of organizational structure.Page 10GAO-14-704G Federal Internal Control Standards
OverviewFigure 5: The 17 Principles Supporting the Five Components of Internal ControlOV2.13 Internal control is a dynamic, iterative, and integrated process inwhich components impact the design, implementation, and operatingeffectiveness of each other. No two entities will have an identical internalcontrol system because of differences in factors such as mission,regulatory environment, strategic plan, entity size, risk tolerance, andinformation technology, and the judgment needed in responding to thesediffering factors.Roles in an InternalControl SystemOV2.14 Because internal control is a part of management’s overallresponsibility, the five components are discussed in the context of themanagement of the entity. However, everyone in the entity has aresponsibility for internal control. In general, roles in an entity’s internalcontrol system can be categorized as follows: Oversight body - The oversight body is responsible for overseeingthe strategic direction of the entity and obligations related to theaccountability of the entity. This includes overseeing management’sdesign, implementation, and operation of an internal control system.For some entities, an oversight body might be one or a few membersof senior management. For other entities, multiple parties may bemembers of the entity’s oversight body. For the purpose of the GreenBook, oversight by an oversight body is implicit in each componentand principle.Page 11GAO-14-704G Federal Internal Control Standards
Overview Management - Management is directly responsible for all activities ofan entity, including the design, implementation, and operatingeffectiveness of an entity’s internal control system. Managers’responsibilities vary depending on their functions in the organizationalstructure.Personnel - Personnel help management design, implement, andoperate an internal control system and are responsible for reportingissues noted in the entity’s operations, reporting, or complianceobjectives. 4OV2.15 External auditors and the office of the inspector general (OIG), ifapplicable, are not considered a part of an entity’s internal control system.While management may evaluate and incorporate recommendations byexternal auditors and the OIG, responsibility for an entity’s internal controlsystem resides with management.Objectives of an EntityOV2.16 Management, with oversight by an oversight body, setsobjectives to meet the entity’s mission, strategic plan, and goals andrequirements of applicable laws and regulations. Management setsobjectives before designing an entity’s internal control system.Management may include setting objectives as part of the strategicplanning process.OV2.17 Management, as part of designing an internal control system,defines the objectives in specific and measurable terms to enablemanagement to identify, analyze, and respond to risks related toachieving those objectives.Categories of ObjectivesOV2.18 Management groups objectives into one or more of the threecategories of objectives: Operations - Effectiveness and efficiency of operationsReporting - Reliability of reporting for internal and external useCompliance - Compliance with applicable laws and regulations4See paras. 17.02 through 17.04 for further discussion on identifying issues.Page 12GAO-14-704G Federal Internal Control Standards
OverviewOperations ObjectivesOV2.19 Operations objectives relate to program operations that achievean entity’s mission. An entity’s mission may be defined in a strategic plan.Such plans set the goals and objectives for an entity along with theeffective and efficient operations necessary to fulfill those objectives.Effective operations produce the intended results from operationalprocesses, while efficient operations do so in a manner that minimizes thewaste of resources.OV2.20 Management can set, from the objectives, related subobjectivesfor units within the organizational structure. By linking objectivesthroughout the entity to the mission, management improves theeffectiveness and efficiency of program operations in achieving themission.Reporting ObjectivesOV2.21 Reporting objectives relate to the preparation of reports for useby the entity, its stakeholders, or other external parties. Reportingobjectives may be grouped further into the following subcategories: External financial reporting objectives - Objectives related to therelease of the entity’s financial performance in accordance withprofessional standards, applicable laws and regulations, as well asexpectations of stakeholders.External nonfinancial reporting objectives - Objectives related tothe release of nonfinancial information in accordance with appropriatestandards, applicable laws and regulations, as well as expectations ofstakeholders.Internal financial reporting objectives and nonfinancial reportingobjectives - Objectives related to gathering and communicatinginformation needed by management to support decision making andevaluation of the entity’s performance.Compliance ObjectivesOV2.22 In the government sector, objectives related to compliance withapplicable laws and regulations are very significant. Laws and regulationsoften prescribe a government entity’s objectives, structure, methods toachieve objectives, and reporting of performance relative to achievingobjectives. Management considers objectives in the category ofcompliance comprehensively for the entity and determines what controlsPage 13GAO-14-704G Federal Internal Control Standards
Overvieware necessary to design, implement, and operate for the entity to achievethese objectives effectively.OV2.23 Management conducts activities in accordance with applicablelaws and regulations. As part of specifying compliance objectives, theentity determines which laws and regulations apply to the entity.Management is expected to set objectives that incorporate theserequirements. Some entities may set objectives to a higher level ofperformance than established by laws and regulations. In setting thoseobjectives, management is able to exercise discretion relative to theperformance of the entity.Safeguarding of AssetsOV2.24 A subset of the three categories of objectives is the safeguardingof assets. Management designs an internal control system to providereasonabl
The oversight body and management set the tone at the top and throughout the organiz ation by their example, whic h is fundamental to an e fective internal control system. I n larger entitie s, the various layers of man ag e nt i th orz tona l suc y " one he middle." 1.04. The oversight body's and management's directives, a tit udes, and
