Generally accepted standards for internal controls for federal programs were updated a couple of years ago in The United States Government Accountability Office publication Standards for Internal Control in the Federal Government (the Green Book) by the Comptroller General of the United States (September 2014). The standards were effective beginning with fiscal year 2016.
The standards in this publication represent a safe harbor in that the Comptroller General stated, “The Green Book may also be adopted by state and local entities, as well as not-for-profit organizations, as a framework for an internal control system.” The framework in the Green Book is comprised of five components of internal control and 17 principles that represent a holist internal control system. It is highly recommended that a school district’s internal audit department and/or Federal program managers conduct a gap analysis for each federal program in order to understand the extent to which the district's documentation of internal controls align with the 17 principles.
The five components of internal control must be effectively designed, implemented, and operating, and operating together in an integrated manner, for an internal control system to be effective. The five components are:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
The 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system. The 17 principle requirements are summarized in the Green Book as follows:
Control Environment
1. The oversight body and management should demonstrate a commitment to integrity and ethical values.
2. The oversight body should oversee the entity’s internal control system.
3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives.
4. Management should demonstrate a commitment to recruit, develop, and retain competent individuals.
5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities.
Risk Assessment
6. Management should define objectives clearly to enable the identification of risks and define risk tolerances.
7. Management should identify, analyze, and respond to risks related to achieving the defined objectives.
8. Management should consider the potential for fraud when identifying, analyzing, and responding to risks.
9. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Control Activities
10. Management should design control activities to achieve objectives and respond to risks.
11. Management should design the entity’s information system and related control activities to achieve objectives and respond to risks.
12. Management should implement control activities through policies.
Information and Communication
13. Management should use quality information to achieve the entity’s objectives.
14. Management should internally communicate the necessary quality information to achieve the entity’s objectives.
15. Management should externally communicate the necessary quality information to achieve the entity’s objectives.
Monitoring
16. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results.
17. Management should remediate identified internal control deficiencies on a timely basis.
The summary in the back of the Green Book also affirms that “Documentation is a necessary part of an effective internal control system.” Also most importantly the Green Book explains certain practical limits regarding the design of internal controls in stating, “The level and nature of documentation vary based on the size of the entity and the complexity of the operational processes the entity performs. Management uses judgment in determining the extent of documentation that is needed. Documentation is required to demonstrate the design, implementation, and operating effectiveness of an entity’s internal control system.”
Minimum documentation requirements explained in the Green Book are as follows:
- “If management determines that a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively. (paragraph OV2.06)
- Management develops and maintains documentation of its internal control system. (paragraph 3.09)
- Management documents in policies the internal control responsibilities of the organization. (paragraph 12.02)
- Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues. (paragraph 16.09)
- Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis. (paragraph 17.05)
- Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis. (paragraph 17.06)”
To access the United States Government Accountability Office publication Standards for Internal Control in the Federal Government (the Green Book) by the Comptroller General of the United States (September 2014), click on the link below.
http://www.gao.gov/assets/670/665712.pdf