Standards for Internal Control in the Federal Government (Exposure Draft) (Superseded by AIMD-00-21.3.1)

Published by the Government Accountability Office on 1997-12-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                  United   States Ge%er& ~ccountim   Office

 ii               Internal          Control               ._-

December   1997   Standards for
                  Internal Control
                  in the Federal

                  Exposure       Draft
.- .



 These standards are provided as guidelines to assist managers in “achieving the objectives
 of their organization. me standards apply equally to program implementation: and
 administration as well as financial operations. They are intended to help both program
 and financial ‘managers.
 The Office of Management and Budget (OME$)Circular A-123, !‘Management
 Accountability and Control,” June 21, 1995,provides the req&ements for assessing
 controls. These General Accounting Office (GAO) standards provide the measure of
 quality against tihich controls in operation are assessed. The,discussions on the
 camp-orients“.Iof,, mternal control, such aS.analyzmgrisks and monitoring controls,. are
 presented as explanations’to enhance the understanding of the standards.                 ’
 OMB CnxxrlarA-123 uses the term”management control” to cover all aspects of “internal
 control” over an agency’s operations. The term internal control in this document is
 synonymous with the term management control in that the broad objectives of internal       -
 control (operations, financial, and compliance) cover all asfiects of an agency’s

 Beginning with the Accountin
                      *---.                            faI.99, agency heads have’been
 required to establish and main                   ternal control. Since then, other laws have
 required renewed   focus   on internal control. The  Federal Managers’ Financial Integrity
 Act of 1g82 (mm),       requires agency heads p~~o~~~t~~v~~~~~~~~~~~~~~~,~
-mt~‘?~ol        using the guidance issued by the OMB and to .report on whether their
 systems conform to the standards issued by the ,GAO. Most recently, the

                                                                                                                                    se systems.
                                                                                                                           ..,..:     .‘j ,“.,/, :,
 Over the years, GAO has issued numerous publications to assist agencies in establishing
 and maintaining effective internal control,systems. In 1983,GAO drew on its previously
 issued guidance and experts throughout government, private sector, and academic
 communities to develop and issue “Standards for InternaJ.Controls in the Federal
 Government” to facilitate implementation of FMFIA. Although those standards remain
 conceptually sound and are used throughout the federal government, this update’ ’ ”
 enhances the standards to recognize recent internal control evaluation guidance
 developed by the private sector with assistancefrom, GAO and others as well as to give
 greater .recognition                                                                                                                                                 :
                ” ,; ,. to:.the   increasing use of information/. tech$$gy.~~~,~~;,~/~
                             . ,. ..‘, ..::,‘I I ;;‘ ‘. ; 0 ‘.,: ‘,‘..!                    _,:.,,,~rM.,&;
                                                                                                ., “/:;.’,.A,.!
                                                                                               il.       .I
                                                                                                                        I ‘,,’
                                                                                                                             : )_,:.,,I;..,,,)
                                                                                                                                          y,   : ,,.‘.
                                                                                                                                             ‘.,,‘,,,” I :;..:;: ‘_
                         .’                                           I_,‘,
                                                                         i  .,:>  :: _::
                                                                    :..,,,.,,.I..‘:~i?.. IL
                                                                                                 I ,%      ;
                                                                                                       ,._“_ :j ‘,-;!
                                                                                                           “.f.‘? .,..
                                                                                                                    !T>., :,,::~,,:.!.::.:.-
                                                                                                                          I,, ,,.;I,:‘.z,. .-
                                                                                                                                           ,‘. ,_,,::    ,, ,,,..:,   /
             ..                                                                                   .i’:,: ., ,,_ ,;,,+I’,,,
                                                        (’,’       ‘:’ -.               .’  ,,I,.,_
                                                                                            _,                                   .           . ‘__j
                                                                                                                                               :,  ,;,     -2.e::.
                                                                                                            -,                  :                                     :!
                                                                                                .’ :.                                                                 :!
, .,’    ,‘,       _,-          ,.: -,.            ./ ~~AO/hID-98-21.3.1                  Proposed Revision of I/C Stds:(2/97)                                        :;

 The proposed standards supersede GAO’s “Standards for Internal- Controls in the Federal
 Government.” They incorporate the existing GAO standards and the components of
 internal control covered in Internal Control-Integrated Framework, by the Committee of
 Sponsoring Organizations of the Treadway Commission (COSO). ‘.* The eight major
 internal control standards contained in this revision follow the COSO guidance.closely
 and also include reference to portions of OMB Circular A-123 that provide guidance for
 evaluating internal control. Two of the standards concerning management reporting on
 mternal control and resolution of‘audit Endings are standards not addressed by COSO but
 reflect the’ public’s demand for a high level of accountability for government stewardship
 of resources. These two standards are currently required by law and by the existing ”
 internal control standards. Appendix II provides a crosswalk from the existing standards
 to those proposed in this document. When issued in final, these standards will replace
 the existing standards:                                                :
 To facilitate review of these proposed standards, they are located on the,mternet on
 GAO+ Home Page (www.gao.gov/). Additional copies of these proposed standard.s.can
 be obtained from the Y.S..General Acc,ounting Office, room 1100, 700 4th ‘Street NW,’ ,,’
 Washington, DC” 26.548.or by c&g (202) $12-6000. Please send comments by March li,
 4,998,to Robert W. Gramling, Director, Corporate Audits and Standards, Accounting and ’
 Information Management Division at:             !.

                  d.S. Gener~‘Accounting ‘@ice,
                  Room 6089              ‘I
                  441 G Street, NW
                  Washington, DC.. 20548



 Accounting and Jnformation Management Division
                                      :       _,,                   >                                                        :                                                     .,                                      .
            ‘.“         “:                                                           “‘.(
    :.            .,.                     ~               ‘.                     ’                                                    /’
                                               I    i’,                                            ..                                                                             ,’           r..,:                           :
                             _.      .,                        ,*                           .:‘;            _.’                                      I.                :...            ./.:.                               ,        ;
                                                                                                   .                                           ,)                                  ,,
 (g~2248)                                            y                  -.   :                                        ‘:.        .’        ”   ,;’   I. :   .I;                                        [,            ‘.,



                                                                                                                                                                                                            .:                     ..;

 ‘Internal Control-Integrated Framework, Committee- of Sponsoring Organizations of the
 Treadway Commission (COSO), September 1992.
:!p&&:z,                          ‘:;,. .                                                               ,GAO/AIMDQS-21.3.1       Proposed Revision of I/C Stds (W97)
CONTENTS             :
        .                                                        .- -

Preface                                                                      1

Abbreviations                                                                4

Introduction                                                                 5   /

Internal Control Standards                                                   9

Detailed Explanation of Internal Control S&ndards                           12
                                                    -.                  /
       Component Standards                                                  12

           Control Environment                                              13
           Risk Assessment                                                  16
           Control Activities                                               19
           Information and Communications                                   25
           Monitoring                                                       28

       Evaluation and Reporting Standards                                   33

           Effectiveness of Internal Control                                33
           Reporting to External Parties                                    35
           Prompt Resolution of Audit Findings                              35

Individual Roles and Responsibilities                                       37

Internal Control Limitations                                                40

      I.   Questions for Respondents to the Proposed Standards              42
  Abbreviations                                                                                                      .-

                   AIMD                               Accounting and Information Management Division
                   CFO .                              Chief Financial Officers
                   cqso                               Committee on Sponsoring Organizations of the Treadway Commis&on
                   CPA                                Certified Public Accountant
                   FASAB                              Federal Accounting Standards Advisory Bbard
                   FDIC                               Federal Deposit Insurance Corporation
                   FFMIA                              Federal Financial Management Improvement Act of 1996
                   FMFIA                              Federal Managers’ Financial Integrity Act of 1982
                   GAAS                               Generally Accepted Auditing Standards
                   GAO                                United States General Accounting Office
                   GPRA                               Government Performance and Results Act of 1993
                   GSA                                General Services Administration
                   JFMIP                              Joint Financial Management Improvement Program
                   OMB                                Office of Management and Budget
                  ‘OPM                                Office of Personnel Management

                                                                                               i   ,::        1 :                          :, :.j;   ,..-,
                                                                                                                               -.     ,,
       .,              ;               j.
                                                                                                                     ,,. ), ,,. Cd.        I_ 2 ,..l.‘i:~.:     ‘..
                                                                             ?            -,             ‘.          T         .;~_        .v      .,‘        .:‘;,,
            ,‘:                    :                                                                            .i

+age   4          .:       :,. :            i’   ,,        ,,_..
                                                                            GAO/AID-9%21.3.1ProposedRevision of I/C Stds ,(X2/97)                                      _,
                                G’                                                            .    -

1.                    .                                                                           .- -

             This document contains the internal control standards for executive agencies,as
             required by the F’MFIA. Internal control is a major part of the management processes
             of any organization. Internal control comprises the plans, methods, and procedures
             used by an entity to meet its objectives. Effective internal control is essential to
             achieving the proper conduct of government business with full accountability for the
             resources made available. Internal control helps ensure that an agency meets its
             missions, goals,‘and objectives; complies with laws and regulations; is able to provide
             reliable financial and other information, concerning its programs, operations; and
             activities; and serves as the first line of defense to preventing and detecting fraud.2
             They facilitate achieving management objectives by ~servingas checks and balances
             against undesired ‘actions. In preventing negative consequences,internakontrol helps
             achieve the positive aimsof program managers.                                           ,’
                        1        :
             DEFIN&ON         AND OBJBCTIVBS

             Internal control is defined as a process, effected by an agency’s management and
             other personneli -designedto provide reasonable assurance that the objectives of the
             agency   me b&@&-t&v&       s &e fo~owi& &tego;fies:       : : ._.          .’
                    :                                     _’ ‘:.,   :.      . ../(
                         l    Effectiveness and efficiency of operations including the ‘use of entities’.
                         l    Reliability of financial reporting, including reports on:budget execution,
                             ‘fmancial statements, and other reports for internal and external use. j
                         l    Compliance with applicable laws and regulations.         :

            A necessary‘im’plication ‘or subset ofthese objectives is the Safeguarding,of agency
             ~t&~*~g&&               ~au~@$:a&-&itiofi,      ut&,.::or   &spo&~on,   ~C&&&~&@y,;~~e~     ".   ,;   '

               definition of “interrial~control as it ‘relates’to safegkirdingasseis can be expanded‘to’ -
              include‘ciocesses; effected ,by an agency’s mariagement and other personnel, designed
              to orovide reasonableassurance regarding prevention of or prompt ‘detection of
              u&fio~ed~ia$@t&tiisitidn, ‘~6:~or &sjjo&& of the: &gengy's            as&~.          ‘ ;   ’
                    ‘, .. .-!* i,’ I_,.‘. ;’            -1 _;:,                      ‘: ‘.              ..
              Objectives should ‘be‘identified :at all levels throughout the agency. ‘An agency’should
              first establish its entitywide objectives and then more specific objectives, when
-1                : ,.
  i.                                     ‘,.                                   ; ‘ .:,..j,~.
~1                         .,       ,* ‘...‘.                                                    /:
 ;;         ‘.2Fraud’is.the intentional misrepresentation .of financial information or theft of or
              intentional misappropriation of assets.
 1      :          .,                     ‘;,
              pi,-e ~ .’ ‘-,‘;‘,I1:. 1” ., ” ,,.:’     : ~~GAO/NIviD-98-21.3.1ProposedRevision of IX Stds (E/97)
    determinable, throughout the various levels in the entity. Objectives at different levels
    should also be linked to atitivities throughout the organization and should be internally
    consistent and complementary.
                .                                                      ._.
    FUNDAMENTAL                    CONCEPTS

    The definition of internal control and the objectives which it seeks to attain reflect
    several associated fundamental concepts. These concepts are useful in understanding
    and applying the internal control standards discussed on succeedingpages,

    Intern+    ‘Control        Is an Ongoing               Process

    Internal control is. not one event, but a series of actions and activities that permeate
    an entity’s operations. These actions are inherent in the way management runs the
    entity. Internal control should not be looked upon as separate, specialized systems
    within an agency. Rather, they should be recognized as an integral p,art of each
    system .that management.uses (for example, the budget.development and execution                                                                               ~
    systems) to regulate and guide its operations. In this sense, internal control is
    management control that is built into the entity and are a part of its infrastructure.

    Internal   Contiol        Is Effected           by People
    People are what make ~internal qontrol, work. The responsibility for good internal
    control rests with all managers; everyone,in the, orgar&at&n plays a part in making it
    happen. People set the objectives, put ‘the control mechanisms and activities in place,
    and monitor ,and evaluate,the control.,

    Internal Control Protides                                                         . :
    Reasonable &q&ce,         ..                     I;.
    Not Absolute Assurance

    No matter. how .weR,.designed and operated, internal control, can not provide absolute                                                                            i
    assurancethat a, objectives $ll be met. ‘iManagementshould designand implement
    internal controi based on$he .related cost
                                            ‘” and benefits. Once in placej’internal control :
    provides reasonab!e, not absolute, ‘assurance of mee,ting.objectives,because human
    mistakes:and judgmental errors? management’scapactty to ‘over&de-,control, id acts
    of collusion to circumvent, control can,hamper. meeting objectives. j Nevertheless,.in’
    the federal government,’ internal control effectively designed and operated provides the
_   best av$lable .msu.rance.that object&es, of ,the,‘agencyM, be.achieved. :       :       ‘,Ii
                                 ~. .1


                                                                     . .                                                                   ,.Ii
                     :        ‘.      ”   : _   ;     :    “’              :     -,         :’   .’   _   .I           I’..,                                 ‘,
                                                                                                                                                  1.   :‘.

                                                                                                               .   :

    Page:6     :.        ‘...k~’
                              .,:‘.                 j :         GAo/AIMD-98-21.3.1ProposedRevision of I/C Stds (Z/97)
 Internal Control Is Geared to                                                                           -
 Achieving Objectives’in ~
 One or More Separate but
                                                                                                        .- -
 Overlappin& Categories

 An objective in one category may overlap or support objectives in another category.
 In addition, the category into which an objective falls can sometimes depend upon the
 specific circumstances of an event or transaction or the environment of the entity.
 Some types of objectives are common to all entities, such as producing reliable
 financial statements and complying with all applicable laws and regulations. Others,
 particularly those related to operational efficiency and effectiveness, such as
 processing loan guarantee applications, are entity-specific and directed at the
 individual mission and goals of the agency.


 The F’MF’IAplaces several responsibilities on agency management for evaluating and
 reporting on internal control. The act directs the heads of executive agenciesto

            l   annually evaluate their internal control using guidelines established by the
                OMB and
            l   annually report on whether agency internal control complies with the a5
                standards prescribed by the Comptroller General. Where internal control
                does not comply, agencies must identify the wealmesses involved. and
                describe the plans for corrections.

 ORGANIZATION                  OF THESE            STANDARDS

 This document presents eight standards for the development, operation, and
 evaluation of internal control for federal agencies. The fkst five of these standards
 are considered to be components of internal control. They are derived from the way
 management operates an agency and are integrated with the management process.
 They are considered essential for effective intern4 control.
 The latter three standards address evaluating and reporting on internal control. In
 particular, the sixth standard provides a basis for determining whether agency internal
 control is effective. The seventh cites the requirements of FMFU for reporting on
 internal control. The final standard requires the prompt resolution of audit findings
 and recommendations related to ,,internal control. .’ _.Z’                     ‘,                :_ ,, ,_ ...                      ,.
                    .: I ,,,.
                           : ,.                                 ,.   .),
                                                 ,: . :.;,,,: ‘. :‘,”: / :               ‘-    :.       ,;,
                           _,                                _’ _, “,      ,.   ‘.        , ;..._.‘,        .. .,,
                                                                                                               . ,.‘,,,,“..i I,; .’ ,_.- ,.. .,. . _’
                                                                                                                    ‘4                                   .,
                         ,,.                        ,. i          ,, -,.:,,,.,.,                                                     .‘,. .. x ._
                        ,_..                 ‘.                              :..‘1:, ,.,:j:I’” :,-‘: ,,         - ‘. : :, ‘.’
ip&‘&          ,(..
             ., .’ ‘,’ 3-.;y:-,~,I.,; _:
                                      ,,?-.., :,      bAObhMb~b8L21~3.iProposedRevision of I/C Stds (lU9Q :                                             .;
Additional sections discuss the internal control roles and responsibilitiqs of various                .’
individuals and groups and explain the inherent limitations of internal conkol.
             .                                                     .- -
These standards replace the existing standards when issued in final.



                                                                                            :,        _’


                                                .                            ,_..

               ;.   _             .”
                                       ;   ‘,


                                                          roposedRevision of I/C Stds (X2/97)
  INTERNAL               CONTROL               STANDARD&
                    .                                                                                  .- -

 The internal ,control standards define the minimum level of qua&y acceptable for internal
 control in operation and constitute the criteria against which internal control &sto be
 evaluated. These internal control standards apply to all operations; administrative and
 programmatic functions, but are not intended to limit or interfere with duly granted
 authority related to developing legislation, rule making, or other discretionary policy
 making in an agency.


 Control        Environment

            Managemeet atid employees &all &taJ&sh and mahtain          a, c&&o1
            environment  throughout   the organization that sets a positive ana
            supPor&ve a’ttitude toward i&r&l      con&o1 and con&o1 consciousness.                                                    A
            positive control environment is the foundation for all other standards of internal
            control, providing discipline and structure. The control environment is the setting
            which influences the quality .of internal control. Several key factors influence
            internal control. 7J’hesefactors include the integrity, ethical values, and
            competence of .the entity’s people; management’sphilosophy ..&d ,operating style;
            the way management,,assignsauthority and ,responsibility, and organizes and
            develops.it$ people; and the attention and direction’ provided by .top management
            and oversight
                        .’ groups:                                               .,
                              .‘.        :

 Risk Ass&meii(1: !                 [ ...,
                                    ,_ . ,               :                         ‘.     .,      .:          _., ,,: ,:
           I@&rx+ con&oi should provide
                                      ,. .I ‘for an assessment of the“r&s   the
           agency .$&es from both external and in&&l       soe&es. “A, predonditron
           to’risk assessment
                        .~           ‘is establishment of objectives, linked at different levels
           and internally consistent. Risk,:.sessment is the identificat&n a@analysis
           of relevant risks associated with a&i&kg                   the object&               of he agency (for’
           example, those program objectives and financialJimitati~ons,set.forth m,.the                                              ‘.
           budget) and forming a basis for determining how risks should be r&,nage&
           Becausegovernmental,        _: economic,,industry, regulatory, and operating
           conditions continually change, mechanisms should be provided. to identify
           a~~dCM with my spec@Jrws =sociated.,; *th $-wgeT..                                         : .,i~.,,~L~
                                                                                  ^‘. .i .:1.(.,‘(, .,.Y+‘,          ;,,...,
                                                                                                                          .,; ,_j
                      :., ./,;...-
                               ,,,, ..a:,..
                                            ‘; ;,: ,,.:.,,;:.:.:. ; T ,;....’
                                                                          _.,_/;sT’“:y,              ., .:
                                                                                  :;f.y ‘,I:‘IJy< $%,,,.‘e-“.‘C:.:.-
                                                                                                           * ,.g$. J*fi:
 Control. Acl$itie6:.‘~:, .’ “‘i”.‘.”..‘.. ‘:‘,::‘I:
                                             . .-.‘::l’ ‘::.:if;..:.        ., ;:‘:-~.’ ,. -,.yl’; ._;;. ..;:;“j<,::,‘l-;,,,,,: :,. .~.,,,,,:
                                                                  ~~:~~~,?,W~!Y(.                                                         ,,
+geb“      :‘, ..,:-. ,, ::   ‘b, :1 ~._       I 1 :“‘.:
                                                     ,: .’
                                                            ‘~~bAO/AIMD-9S-Zi.3.1       ProposedRevision of I/C St& (W97)

                      Internal control activities are to be effective                      and efficient           in
                      accotiplishing  the agency’s control objectives.     Control activities are the
                     policies, procedures, techniques, and mechanisms that enforce
                     management’s directives, such as, the process of adhering .to Management
                     orders for budget development and execution. They help ensure that
                     actions are taken to address risks. Control activities occur at all levels and
                     in all functions of the entity. They include a wide range of diverse activities
                     such as approvals, authorizations, verifications, reconciliations, performance
                     reviews, maintenance of security, segregation of duties, and the creation and
                     maintenance of related records (such ak document&ion) which provide
                     evidence of execution of these activities as well as appropriate’ audit ‘trails. ”

             Information        and Communications

                      For an entity to run and control its operations, it kust have relevant,
                      reliable information,           both financial and nonfinancial,         relating to
                      external as welI as internal events. That informatiofi                    mast be
                      recorded an4 communicated                   to management and others within the
                      enjti@-kh6 need it &Sin                a f&ni atid *thin     a tik    frame that enables
                      them ‘to &kry o&h+                 inttitial      c&i&o1 &nd ,:&her ~e~p,~n&iIiti&s.
                                                                                                    .., ~_ ,‘~...
                                                                           ,’                                .i.
             ‘M&,itotig‘     ;  .‘.J’       ,.,.’ ‘,               :. ”              ,. . .                    .
                                         ‘,          .’                       ‘,,       .       ,;
                     Inter&& co&r61 must be mkitored.                          %&&king             ,is a pro&s          ‘that
                     ass&se& &e Qua&$ oi; pe+f&man&e                          qyer time.         .This is $0’ l%          ”
                    ;:‘acccir;iplis~~.~~.t~~~              ong&$      modtqag        t &&i~&s;    &pa&e    &du&ons,                   or
                    “a &ibhati&fi           bf:f$e       ‘&o. ‘. &going     ‘mbdiohg        oc-&&   h ‘he ‘co&$& of
                   operations; ,It includes regularmanagement ‘and supervisory activities, and
                   other actions personnel take in performing their duties?The scope ‘and
                   frequency of separate evaluations shall depend primarily on the assessment
                   of risks and the effectiveness of ongoing monitoring procedures:‘Iiiter&l
                   control deficiencies should be communicated to the individual responsible
                   for the%leficient function and’also to at. least one level of ‘management above
                  ‘)i;iat in&..dual. s&hoh $~g& dh6tid, ije~~.;-po~&-fb .yp,lF&agemelit:.
                    _. I- _;       ; _. i              ,.    ,,/ _.
                                                                 ‘Vj, .._          ,.;.‘.,,:’,’ ‘, :::,.;.:;,;.
             E~AL~A~~~‘~~~~EP~I~TING..ST~~DS::,:                                         -iI ’       ”
                  ,. > iI., iq,
                                ,,, 2 ‘I:‘,, -:.:.’;,_ : .>’
                                                          ,,       ‘... ‘. ,.. “3: .                       ,..

                     For intern& ,control t&be’ judged ‘effect&;
                                                              ‘ecti&; niknagement must have.
                     pea&ga&e    assu&nce tl&t      ,,...;          :?. : ^ !       !
                                         ..‘li :              :.__.
                                                           8’ ._,. ,:.    ,.  ,_ ‘,. .                                                     :
J   I.                     l   -the agency’s operational                objectives are being met,.                           .’
                                                                                 ,.’   :‘.   ;
                                                                                           :‘.         ;
                                                                                                                            . 2, ,..
                                                                                                                            . . 2,   ,..

         Page.:lo,I,::..                             .                 ,,GAO/AIMD-93-21.3.1
                                                                        ^. ^‘*-- ^^ 21.3.1 ProposedRevision of I/C Stds(W97)
                 l     the published financial statements and reports-prepared for internal
                       and external use (such as budget execution reports) *are reliably
                       prepared, and
                 .                                                    .- -
                 l     compliance with applicable laws and regulations is being achieved.

           The significance of all internal control deficiencies identified by management,
            employees,Inspectors General and other auditors, or other sources must be
           evaluated individually and collectively by management in deciding their effect on
           the five components of internal control and the related impact on whether the
           objectives of internal control are be,mgmet. OMB Circular A-123, “Management
           Accountability and Control,” dated June 2l, 1995,provides guidance on assessing
           internal control deficiencies. Financial statement auditing standards provide
           additional guidance in assessingfinancial reporting weaknesses.

 Reporting tci Externii         Parties
           Management shall prik’de a;n‘annual public report pre:&$king its assertion
           about the effectiveness of its internal control. The mF’LA requires that the
           heads of executive agencies report annually to the President! on internal control,
           identifying any material weaknesses and plans for correctirig ‘them. It also
           requires that agencies make these reports available to the public. OMB Circular
           A-123, provides guidance.on ho@ to satis@ F’MF@I’s:repbrting requiremen;:
                                                                                                :                          ._j
Audit Resol&on ‘.                 .‘,.”                          ’          ‘,
          : ,.                                                          !                                                 ; ,’          .;
           A&i        ‘findkgs ihall’be pro&&y  &solved. Managers ,are to (1) promp$y ”
           evaluate findi&& those showing deficiencies and oth&s,“aInd          ..    ‘.
           recommendations reported by auditors, (2) determme proper actions in .,
           response to audit findings and recommendations,’ and ‘(3) ‘complete, &hin
           established time frames, all actions that correct or otherwise resolve the
           matters brought to management’s attention.

                                                                                   , 1. __ .   .,.    ., .._         ,.          _
                                                                                   ),:i        a’,,            i”;                      ,.   .,        .’
                                                                                        .,.*                                                      i.

.Page 11         .J              ”    , ., ‘,   j _,I.!: :_GAO/@ID-&-21.3.i      ProposedRevisionof                                  IIC St& (12/97)

                                            ,’   -:

i       DETAIL&            EXPLANATION                OF STANDARDS                         ,__

       The internal control standards define the minimum level of quality acceptable for
       internal control in operation’ and constitute the criteria against which internal control
       is to be evaluated. These.internal control standards apply to .all operations;.
       administrative’and program&c functions, but are not intended to limit orinterfere
       with duly granted authority related to:‘development ‘of legislation, rule-making, or other
       -discretionary policy-making ‘in an agency.
       The eight internal control standards can be categorized into two groups.” One group
       comprises the five standards that relate directly to the functioning and operation of
       the internal control. The second group contains the other three standards which deal
       v+th evaluating the internal, control, reporting on:,them, and responding.._;          to audit
       tidings’ md reco&*T.2~dati6~s*. ;’
          ,’ ,, j,     ‘-          i..          :I          (.    ( r :, .;        : .:    -.            ”
                                                                                                       ,/ i
       CthHP6~N’I’            !%i$%RtiS’         ”                 - ‘- ” x      ‘1..    ; ~ -_ ,,,
                   ,.,         .’ ; 9,: ”r -
       httei?r$- control con&s of fiveinterreiated components ,,which’form an integrated
       process’that ‘can react to-changing circumstances and conditions within the entity.
       These components are derived from the way in which agencies conduct their activities
       and are integrated within the management processes. The components of u&&al
       control are the, control environment, risk assessment,control activities, information
       and commu$%ion, and ~mor&+-ing. I&& of.:these components is essentiai to
       achieving the opera&&~ ‘&m.nc@lreporting;, and com#iance,,objectives of internal
       control. Fe st&tdards,^for-each: a&discussed.”.            below. ”          j      _,      ‘, ‘,
                          .,., j ‘*>.        _’          .
                                    .              ,: ,. ,: :.-:’                 ,_ .           ;
                                                        ( _j;:.,            ;. \* ,‘, .-

        ?To a large degree, these standards parallel and draw upon the criteria presented in
        Internal Control-Integrated Framework published by the Committee of Sponsoring
        Organizations of the Treadway Commission (COSO) in September 1992. COSO
        consists of the American Institute of Certified Public Accountants, the American
        Accounting Association,.The Institute of Internal Auditors, the Institute of Management
        Accountants, and the Financial Executives Institute. Copies of Internal Control -, .,.:
        Integrated F’ramework may be obtained from the Order Department, *American ., ..                               1.
        Insti~t~ ‘of~c~~e~-Pub;lid AcC~~~~,                      H~borside ,,~~cisil’ Center, .,201 ‘plea ‘mt,.1”-~-,
                                                                       ~’:     ;; .:, : ;’ ,.,; ,,     ,-i; _. :,     :
        Jersey City, NJ 07311-3881.
                                     ; .::‘‘_.’ ,J _;,/ I. ...GAOh6UD-98-21.3.1 Proposed Revision of I/C Stds (i2/97)
    ,;: $&,i2;. ‘,,“!.-,,,,:‘,.<;:,,..i::
Control     Environment            -.                               -

          Management    and employees shall establish and maintain a control            ‘.
          environment   throughout the organization    that sets a.p&tive  and
          supportive attitude towai-d.internal  control and control consciousness..

A positive, and supportive control environment, providing discipline and structure, is
the foundation for all other standards of internal control. The control environment is
influenc.ed by the, agency’shistory and culture and it, in turn, influences how the
agency. conducts its activities. This standard requires that agency managers and other
personnel.be attentive to internal control and take it seriously. Attitude ‘affects the
quality of. internal control and; as a result, the quality of perfor&nce and the
achievement of ~internalcontrol objectives. Attitude is not reflected in ‘any-one.
particular tipect of management’s actions, but rather is fostered. by management’s
commitment to achieving strong control through all of its actions’ ‘that contribute ‘to a
positive control environment.                                                         ,

There are seven major factors that significantly affect the,entity’s control environment.
These factors are (1) the integrity and ethical values of management and employees of
the agency, (2) the -competence:of its personnel, (3) management’s philosophyand
operating style, (4) the way the agency is organized, (5) the manner in which
management assigns.authority‘arid respon&ility, (6) how the agency develops and
trains its human resources+.and (7) the attention%nd direction ijrovided by oversight
groups. ,They arediscussed below:            , I       :         ‘.                 !$.c,
     .’          .(._ : .( ,; ,.,:., ‘,  .                j   ‘.     .,,;.     .,’ ./...
                                                                    .:      ./      .:
        1.. Integrity and Ethical Values

An agency’s top-level management plays arkey’ro1e.m providing leadership and in
establishing and maintaining the organization’s ethical tone. It has primary
responsibility- for communicating behavioraI standards’to the rest of the’,agency.

Managers and-:employees”should:possess and ‘maintain~alevel of competence that Y’ .’
allows them (to .accompli& their assignedduties; ,as well ‘5sunderstand ‘the‘import&e
experience for specific jobs. In addition, counseling and perform-mce appra,isa&are
important. Performance appraisals should be based on an assessmentof critical
factors, including the implementation and maintenance of effective internal control.
                                  ‘:                 .’          .- -
          Zf. @anagemenCs Philosophy and Operating Style

The nature of internal control can be affected by the degree to which management is
willing to accept risks and the degree of economic or regulatory control imposed by
others. Other elements affecting the entity’s philosophy and style include attitudes
toward reporting. (both financial and programmatic) and the use of aggressiveor
conservati& accounting principles and estimates ,and other rules for reporting. In
addition, the, attitude ,of m,anagementtoward data processing and accounting functions
and personnel in general can have a profound effect on internal control. ,One-
important way for management to demonstrate its support for good internal control is
to emphasizethe value of an Inspector General, external audits, and other eva@tions
and studies, and its responsivenessto information developed through such products.

          4.~ ~rganizafiqn~qLStrf4cture                                        _.~                           J
 ‘_,        ‘,         ,.
‘l!he organization,of an agency,provides its. management with the overall framework
for planning, directing, ,and controlling its ,operations to achieve is objectives. Good
internal control requires that the entity’sorganizational structure clearly define key
areas of authority and, responsibility and. establish appropriate lines of reporting. The
appropriateness.of the~structure depends,:in part, upon the entity’s, size,aMthe nature
of its activities. However, the organization of activities should be designed to achieve
the entity’s overall objectives.                  ,. ”          :     , .’       .’

          5’. .As+gnment ofAut&@gL,and,                              &eepo@bilitg :
                 . .. . ‘, ._  ‘. ..,’ ‘., .,                        .x /         .                         .,     ;
For an agency-to accomplish.its mission, management must ,delegateauthority and
respons@ility throughout the. organization. ,;This delegation covers authority and
responsib@ty for) operating; ac,tivities,-report@g .relationships; and authorization        :.
.protocols., A: crit@l ,i&ernal con,tro~..challenge
                                                  -is to de1egateenough:t.oachieve the :.
‘objec@es,,but not so!much~-~tSl~~.i,~ternal,con.~~l is si&i&antly weakened. Another
challenge.is: ,~n,s~~,that..each.^~dividual knovvs:how:;.his ,orIhe.r actions interrelate and
contribute to meeting the objectives; .,~i,&-increased, delegation ,of.authority and ., i.
responsibility, management should have effective procedures to monitor results.
Individuals should be held accountable for their decisions.and actions.- :,.:,;: . .i’+‘I

Implicit. @ the assignment of ,author+y .and respqnsibility is the requirement to provide’ ’
qua&ied. and continuous~supervision. Super@ion:t&oughout the, agency.helps,,ensure
that .employees-are aware
                      ,.... of, their dutiesar@responsibil@ies,~&nd:know the. extent to :

page.14    ‘;,),1: _..’ ,, :   ::.:, ,,, v :(: ,,, ,>,..; ,‘, :_: _ ‘GAQh$MD-98-21.3.1   Proposed Rkision        of I/C &is (1,2/97).


           6. Human           Resource        Policies     and Practices                                   . -
This factor ties closely with the ones on commitment to competence .and~the
assignment of.authority and responsibility. The agency must estabhsh appropriate
practices for hiring, orienting, training, supervising, evaluating, counseling, promoting
compensating, and disciplining its personnel. For example, related to hiring, the
agency should have standards for hiring qualified people, with emp.hasison education,
experience, accomplishments; and ethical behavior. Also, training must be an ongoing
process and rotation of personnel and promotions should be based on periodic
performance appraisals.

The appropriate degree of supervision, review, and approval of assigned work clearly
identifies duties and responsibilities and helps to ensure the proper processing of,
transactions and events, reduces misunderstandings and improper practices,
discourages wrongful acts, and provides staff with guidance and training. Bonus
and/or award incentives can also be used to reinforce motivation and performance. In
addition, disciplinary actions, when deserved, send a messageto the rest. of the agency
that certain behavior will not be tolerated.
                          ::                                          :
         : 7. Oversight           Groups                   :                                :.
Oversight bodies in the federal government are the Congress and central agencies
(OMB, Treasury, General Services Administration (GSA), the Office of Personnel
Management (OPM), and GAO). In its oversight role, the Congress mandates the?
programs that agencies.are to urtdertake4nd the extent and depth of the,.undertaking.
GAO supports the<Congress in its. role. The central agenciesprovide, policy arid other
guidance.to sagencies.The Congress also monitors -the agencies! progress toward
meeting the mandated goals.                                 . +; (.’ ,,

Within agenciesi there are also mechanisms in place to monitor operations and
programs. These include senior management .council~.~ Such councilsmay mclude
high-level line and staff mariagementas ywell as the agency inspector :generaL
                                          analogous,ito,the private, sector. Senior
Agencies may also have,..;audit~committees.
management councils may help to fIl the role of an audit committee and thereby,
impro,ve;,fie          +gency's    internal   conb01.                                           .,: ;;, '8:: :'*: ;-I:' y1"z<.C!i ./ ,..p' g;_,-,:.
                                                          .- .:.r- I ;'I ' : ', , :~5.,,~.;:;~~:.:                                                :.'..
       ,.:.. ...,"       .; :     ,_ ,.' :     ;_   ./'           :./.           ., '.
             1,: : ^ :                                            ..a,. ,. .' :.. ,:';.         .I! :.                               .,,
                                                                                                                             .:.       I:..'. ,.:
 Risk Assessment                                                                                     -
         Internal controlshould provide for an assessment of the risks the agen’cy
         faces. from both external and internal sources.            ___ I
 Every agency faces risks that could threaten the achievement of its objectives. These
 risks come from a variety of external and internal sources.- Risk,assessment is the
 identification and analysis.of possible risks in meeting the agency’s objectives and
 forming a basis for how these risks should be managed or controlled and the
 deterrents that should be implemented.

A precondition to risk assessmentis the establishment of objectives, linked at ‘.
different levels and internally consistent. By setting objectives at both the entity and
activity levels in terms of.:operations, financial reporting, and compliance with laws
and regulations, agenciescan identify critical success-factors. These are the things
that must occur or “go.right’! if. the objectives are to be met. Knowing what must go
right is. critical to identifyingthe risks of what can go’wrong. 1         :‘, ”
                                                   .,    ,.         I
The identification and analysis of risk is a continual process that is critical to the
effectiveness of internal control. Management must focus on risks at all levels in the
entity and act to manage them.

        l;,L .Ri&1&g&cation            ,,.  .r . .    I      ,.’ ,.    (.             ; ‘,
            .,     ,‘. :;“‘,,
Management should be.comprehensive,in itsddentifrcation of risks -‘andshould’. .I
consider all significant-interactions ,between the entity and other. parties as web as ‘. :
internal. factor-sat both the entity-wide and activity level. Many methods of risk
identification may be used, including,                              .I,. .” :‘. ,.       j

                   qualitative or quantitative methods to Adent@ and rank high-risk
        .I        ,:a&-&&+        *.         -:,..;_,. “, / ..\ ; ..: ., I .-., :,.k ‘. .j~...._ ;-J :, :,, ; ,,.,
               l senior management planning conferences, .and:                     : : :.:” : ;‘.!:   ,,-c:
        !      l   short and long-range:forecasting and strategic’ planning; Z: ,,: :                           ..I’
             ,I! , ( ‘(i.’t. i :’  :. ,>j!,* 1’_ : :s ‘,                   ’ .;, ;:                    ,., .
Management should carefully consider the specific external factors that may present. i ii. ,:
risk to the agency. Examtiles of such external factors that could cause risk include
the following:

                          l          technological developments;
                          l          c$rging needs or expectations of the Congress; agency offic&.ls, and ”

,P&&6        _:,-(   ‘;       ‘:.:       .i’.-,;.:,   I,_   .;.,   .:: %AO&IMD-984X.3.1 ProposedRevision of I/C Stds (@/97>
                  Examples of internal factors that can give rise to risk may include-the following:

                                   downsizing agency operations,

                                ,* reengineer&g agency operating processes,            .- -
                                 l disruption of information systems processing,
                                 l highly decentralized program operations,
                                 l the quality of personnel hired and training provided,
                                 l heavy reliance on contractors or other related parties to perform
                                   critical agency functions,
                                 l changes in management responsibilities, and
                                l  the nature of the entity’s activities and employee access to assets.

                 In identifying risks, management must also consider other factors that may contribute
                 to or increase the risk to which the agency may be exposed. Examples of such
                 considerations include past failures in meeting budget limits and agency objectives and
                 the reasons for those failures; making improper program expenditures; geographically
                 distributed agency activities; and the significance and complexity of any specific
                 activity which the agency undertakes.

                         2. Risk Analysis

                 The risk analysis methodology can vary because levels of risk are difficult to quantify.
                 However, the processes of analysis would generally include ‘the following:

                                l       estimating the risk signijicance,
                                l       assessingfrequency/likelihood of occurrence, and
                                l       considering how to manage the risk and the actions to be taken.
J                All of these must be considered together. A risk that has little significance and low
                 probability of occurring may require no action at all. Yet, one with high significance
                 and high frequency wili usually require much attention. Once risks have been
                 analyzed, management needs to formulate an approach for risk management and
                 control based upon how much risk can be prudently accepted. The approach can vary
                 considerably from one agency to another, but all approaches should be designed to
                 keep risks within the levels judged appropriate by management. Once the approach
                 has been implemented, itshould be monitored and tracked for effectiveness.

                        3. Managing Risk During            Change

                 Because governmental, economic, industry, regulatory, operating, and other conditions
                 continually change, mechanisms should be provided .to identify and deal with any
                 special risks associated with change. Changing con$tions .often can greatly. in&ease
    -.       _   risks to an agency. Mechanisms should be ‘in place .to help,management‘identify .‘suCh*          ‘. x,;y.“   ;
                                       .+14.‘.     ,,..,, (.’ I ::-,.; ,,:,.,-:.,    ,;,,:.       ” ,,,. “‘-.; y. ,.., ‘,,
     /                                                                                       .,
                 ,& i7 : ‘.         1 ”.: -. ,,,, .:,! .:,G&$&&&3.1           Proposed
                                                                                     *e..ofl of I/c ,st& (iu97>
           changes. These mechanisms need not be elaborate, but are usually related to the
           recording and use of information.

           Some major. changing conditions that warrant special consideration-with regard to risk
           may include the following:

                                 l new personnel in key positions or high personnel turnover;
                                 l new or changed information systems;
                                 l rapid growth, expansion; or downsizing;
                                 l implementation of major new technologies,
                                 T production or’ provision of new outputs; and
                                 l starting operations in new geographical areas.



                                                                                                                                                        . .

                                                                                                                                                              .“.    :   ,.        . .

                                                                                                                  _:...                “.
                   ,,.               .         :,         Ii         /                                                                           _‘I,

                         :               ,..                   . .                                .(,   j,:.‘.,       ‘.          :.        ,-.,.,,..
                                                                                                                                                                    ,.        -_

    ,Pw+                     :                      _,,                  .   . .   ,,.
                                                                                         GAo/AIMD-9S-21.3.1ProposedRevision of I/C Stds (12/97)
 I                                                                                                                -
               Control Activities

                         Internal control activities arkto be effective and, efficient in
4                        accomplishing the agency’s control objectives.          .- -
-:             Control activities are the policies, procedures, techniques, and mechanisms that ensure
               that management’s directives are being-carried out to meet the agency’sobjectives,
;:I           including, for example, budget, program, and financial objectives and to prevent and
-2            detect fraud. They help ensure that necessary actions are taken to address r,&ks          /-
   1          affecting those objectives. They can usually be categorized by the specific objective
              (operational, financial reporting, or compliance) to which they relate, but often a
 i            particular control activity may apply to the achievement of more than one objective.
-1,           Control activities occur at all levels and in all functions of the entity. They include a
 I            wide range of diverse mechanisms and activities such as organizational plans,
 i            managerial approvals and authorizations, verifications, reconciliations, performance
              reviews, maintenance of security, restrictions on access to resources, segregation of
              duties, and documentation of transactions and events and of the internal control .’
              strucQre itself.
                                                  ’      i,“
    !:        Internal control activities involve two elements: policy on what should be done and
              procedures, techniques, and mechanisms to effect the policy. Policies should be in
,I            writing and should be implemented thoughtfully, conscientjously, and,consistently.
 I            The procedures, techniques,‘and-mechanismsto implement policy should continually
              provide a high degree of assurance that’the internal control objectives are bemg
              achieved. To do so they must be effective and efficient. To be effective, control
              procedures, techniques, and mechanisms should fulfill their mtended purpose in actual
              application. They’should provide the coverage they are supposed to provide and
              operate when and as intended. They should be designed to deiive.maximum benefit
         i    with minimum effort to achieve efficiency. In addition they should be ,regularly
              monitored and evaluated.
                        .l,   Types. of Control A&iv&&s                                                                                  i             /
 :I                                                  ,.
                                                     ‘.,                        \                    ;: ”
                                 II ;. .,‘.;, ,’ . .                                                              ! .                                  ,
    I          Many different types of control activities .have’.beendescribed’including preventive
    I          control, detective control, manual control, computer control, and management control.
               Control activities, however, can also be classified by specific control objectives; such
               as ensuring completeness and accuracy of information processing. ! The fohowing are
    I          certain categories of control activities that should be common to aU agencies.and
    1          examples that should .be established‘for’ each. These are presented to illustrate the
               range and variety of control activities and are not all-inclusive of the controi’activities
               that a particular.agency may require.                     ‘:’               ,..: .,.ii,“‘_\;+;..f,.
                                                                                                            ,_,,_,;. .... , .. y.:’,.;-,‘:,::,,,*.’
             :’        :’:,,,.-,: ; !.:.._ ‘_ ,: ., I”., ;                ::,‘_,;                                 !.-.-,;‘y;;;:.’
                                                                                           ,I .:-t-.-::I::i -”.>;I’ ,..’:*“.-.;T:I:‘-:::,.:‘y‘-:.:i
              ,’ .’ :A;;;;,::T*p;&~ei Reiietis .’ .:,:, ;’ ,;;I( ;;,-,;,j.,;,:;,;’ :l,.,;+
                ,..                  :: ‘.                           ,.,.                                                    :       ‘,
             ‘,page19 _,_,- :                      ‘. ..’      :        G@AIiW&&l.3.1 ProposedRevisionof                       I/C   Stds(W97)

     ~                                                                                                                                                .-
 Management should regularly review actual performance versus. budgets, forecasts,
 and prior periods results. The Government Performance and Results Act of 1993
 (GPRA) requires that agenciesdevelop strategic plans that cover a period of .at least 5
 years, annual performance plans, and report on the achievement ‘of goals and
 objectives on an annual basis. (These performance reports start in March 2000.)
 GPRA requires that agencies develop performance targetsand measures and report
 results. Top level management should be involved inthese processes. Major agency
 initiatives should be tracked for target achievement. Implementation of plans should
 be monitored. Management actions taken to analyze and follow up on such tracking
 and monitoring represent control activities as well as the agency’s control
 environment. ”                                                    :,

       B. Direct Functiorial or Activity Management
The agency’smanagers also review performance reports, analyze trends, and relate
result& to targets ‘Financial and .program managers should review reports designed to
compare’ performance’ to planned or expected .resuh.s. Other control activities may
include reconciliations of summary informauon to supporting detail (e.g.,, control ‘,
accounts to subsidiary accounts) and checking summarizations of operations.

A varrery or control acuvrues may, be ,usedto, check ,data accuracy, completeness, ,and
the appropriate
        .            authorization of transactions.. Data entered :mto systemsshould be’
subjected to edit’ checks and matched to- approved control files. Transactions should
be accounted form numerical sequences. F’ile totals should be compared -with control
accounts. Exceptions should be examined and acted upon. Access to.information
processing data, f&s, and programs must be controlled. (                         ,:
             i, ,,,,
       D. PJay.&c&lControll: ‘.                                                  %,                 j
Various types of assets such as equipment, inventories, securities, cash, and any ,other
assets which may be vulnerable to risk of loss or unauthorized use should be
physhlly smu-ed and perio,dica.llycounted and cornpared to amounts shown-on
control records.
             . .” ,’ : “..           ,-       : ._:        ‘.          i ,I.-
                                                                           ,l., ..,
                                . ..:
    ‘, ‘23.’.“.Perfor~ake
                I>>         I&&a~ork_                       ,,_                    ‘,      :’
                                             :                                     .. ).;
                              1,                         ‘.               .
 Control activities should be es~tablishedto-monitor performance indicators.. This I :.
 control could’ call ‘for comparisons and assessmentsrelating different sets of data to.                ’
 oneanother ‘so that analyses of ‘the relationships can be made and corrective actions,,-
‘if necessary, can be taken. Investigation of unexpected results or unusual trends
,enables,identification of circumstances where achievement of #activity ob;jectives‘j,s

                                        ..   ,GAO/AIMD-9S-21.3.1
                                                              ProposedRevision of I/C Stds (E/97)


            threatened. Analysis of performance indicators may serve operational and/or financial                                           ’
            reporting control purposes.                                   :
1                                   ::                                      .- -
 ~                   F. S@egation of Duties
           Key duties qrtd responsibilities should be divided or segregatedamo+different people
           to reduce the risk of error or fraud. This should include septiating the responsibilities
7          for authorizing. transactions, processing and recording them, reviewing ‘the
I          transactions, and handling the related assets. To reduce the risk of error, waste, or
 -I        fraud or to reduce the risk of their going undetected, no one individual should con&
 ]         all key, aspects.of a transaction or event. Duties and’responsibilities should be
j          assigned systematically to a number of individuals to ensure effective checiks and
:;         balances. Collusion, however, can reduce or destroy the effectiveness of this internal
i          control activity, and management should reduce the opportunities for and watch for
                                              ; ‘,; : .’ ...j
                     G. Execution- of Transactions .and‘Events.                       ‘: 1          ,.      ::
                I’                                                                                                      ‘.
           Tr&&a@ons &d other significant ever& should ‘be authorized.and executed-only by
    /.     persons acting within,@-tescope .of th&raut$tority. These authorization contiol? ‘.I
‘I‘Ir      activities deal with ,managetient’s decisioriSto exchange, transfer, use; ^or conimit
i          resources for specified,purposes.under--specific conditions.: ,It is’.& priricipsil~m~ans
!          of assuring that: only valid ,transactions andYother.events tie initiated -or .‘ent&edinto., :
           Aut&ofiz@ion should,be clearly communicated to‘ managers and etiplojlees and Should
j          intilude-the, specific- conditions-and. terms. under which -authorization’sare to be..iiiad&
           Conforming to the terms of an authorization means that employees We ,c&Vying,Gut
           their assigned duties in accordance with directives tid within the limitations
                                                                                   * is...,   :
           established by law, regulation, and manzigement.,‘. 1        : ’
1                    H;   Recording Transactions and Events. :       : _, .‘. _.’” :         :L..>-.. -.
                                                ” ,::    ‘5        /        ‘.,,.‘.,,..,::     .i.,’
1                                                                                                                                                   (;
1          Transactions and .other &@&ant events should ‘be:promptly rec;orded ‘and -@r’op&lj;r
I          classifle$ 4’Jransad~onsmust.be,,promptIy recorded if-pertinentinf~r&itic& is’rto .. ‘:
           maintain ,it.s k-eletiance.,andvalu&t6: maqag~ment~in.contrcUing;opei%itions:,@d&&ing :
           decisions.- ,Th@applies %ol(i) the, entire’ procesb or life -cycle‘-of% &&s&idri or. Wefit ’
           and includes the initiation and authorization, (2) all aspects of the tr6nsactiofi;while in.
           process, and (3) its final classification in summary records. Proper c@&fication of
1          information on transactions ,and events refe& td the organiiatiori- gd::f&niat’ of ,,.
           information on summary records from which reports and statements are prepared.
!                                “, . ..l,.
                                       ,,,  .;.. :
                                            s:.‘,.         ,I:, ” ,( .,’,~.,’ ‘..‘,;:. :.1..,’L‘; ‘>,:. ”
               -v:‘I. Acceq+ Restrictiqns to &j:Acco~~tabi&j             .._:.y:i:‘,:L.:L!~f~?ff~I.Y>
                                                                                                     :tl.f:: :. ../. t                          .
                   for ‘@ources and &co&              .j *‘-;: ::,.I,-.:‘y.!;~::,
                                                                                     : pi;rzi”~~~~~:-~~~.‘;.,? i:>::“;,.::>.:,;.
                                                                                                                            :, ‘Y,I., ,, -,
;I                                            ‘.,  -,                             . ,;  __,,
                                                                                            -. ,,,j.
                                                                                                ‘,tF:: .,‘,.‘:,I.:
                                                                                                     ‘:Ly,,c   :,,I,
                                                                                                                     .? .‘s
         ;,          ,.             _i,.  ‘,,                               .          ,,,
                                                                               .,.’ ),:; ‘_,.             .,,,.,:_.i   (,’” .---.’ : -, ‘. ,j ‘. . :,
II                               _                       .      .-  .   ;                    :;.;*1;-
                                                                                           ,. ;;_... ..
                                                                                                      ‘,’                                      ., .-
           ‘page21 : : i ,, ,.,I_
                               .i;. ; f.‘. .’ .?. ‘~GAOUIMD-982l.i.l            Proposed        Revisionof I/C Stds(i2/97)’
 Access to resources and records should be limited to authorized individuals, and
 accountability for their custody and use should be assigned and maintained. Periodic
 comparison.of resources with the recorded accountability should be made. The
 frequency-of the comparison should be a function of the vulnerabiiity of the asset..
 The basic concept behind restricting access to resources and records is to help reduce
 the risk of errors, fraud, ,misuse,or unauthorized’ alteration, and to help achieve the
 directives of management. However, restricting access depends upon the vulnerability
 of the resources or records and the ,perceived risk, both of which should be ’
 periodically assessed. Other .factors affecting access to assets include the asset value,
 portability, and exchangeability. Assigning and-maintaining accountability for
 resources and.records involves telling specific individuals within the agency that they
 are responsible for their custody and use.--

         J. Documentatiqn

 Internal control and all transactions and other significant events should be clearly
 documented, and the documentation should be readily ava,ilable,for,examination. The
 documentation of internal control should include identification of the agency’sactivity-
 level functions, and related~objectives’and control activities; and should appear .m
 managementidirectives, administrative policy, and ,accounting manuals. ..
 Documentation. ,of,Qansactions or other significant events should,.be com&te and
 accurate and should facilitate tracing the transaction or event and’ related information
 from before it. occurs,.:through its processing,.to after it is completed: :.,The :
 documentation;. whether .m.paper :or :electronic form; ,should,,be.purpaseful~anduseful~
 to managers,in, controlling their Joperations,and to auditors or. others involved in     1
 analyzing operations.            : “. ‘.. I ’                                 _.,   .I./
             .,     .:                                         ,’      8’      .,  : ‘..
         2. Integrchon      with Risk Assessment:’

 Along with assessingrisks, management needs to act to address those risks. The
 actions management decides to take to address risks also serve to focus attention on
 con@ :ac,qv@ies      put @place to. ensure ‘that.the actions are carried- out properly’ and
 promp,tly, : ControJ,ac,l&ities are, 8’:majorpar-t of. the process ‘by which .anagency :.‘)
 achieves its5objectives as opposed to :being implemented, for their: own sake or iT
 because.‘?t,,,isthe: right‘thing’to, do.:? In this sense,: control is built directly into,the
 management process. i!” ‘. ..I_ ,..i.‘. :,I., :: ‘, 2. :G         ’ .:. ‘- ‘.          . ,.
                 yt;.:, ,., i,‘.-   ‘i  ,,     ._(,.I        ,_’
                                                              /,          .I..:            ,,,  ..;
     ‘I,‘--’ “..                                                                              .
        3. Control,Overy Irijformation      Systeim”                               ., ,._                _m
                   :, :i_l,,. ‘, .‘..,<     ,.i: i :,,‘., ,, :_>’ ,’  : ,. :
Most information systems today are computerized. Special control applies to them..
However, even if the controls are different ,from those used ,in ~manual.systems, they
are still based on the same underlying concepts.         .’ f:         ‘.:J : ‘.I.;

)page.22,: : ,,i:   ). ; :.’ ‘, ,;      : :GAO/AIMD-98-21.3.1          Proposed Revision of I/C Stds (B/97)

There are two broad groupings of information systems control-general control and
application control. General control applies to all information systems-mainframe,
minicomputer, and end-user environments. They also include those manual measures
and procedures to help ensure the systems’ continued proper operation. Application
control is designed to control the processing of transactions within the application
software and include related manual procedures.
       A. General Control’

These include control over data center operations, system software acquisition and
maintenance, access security,- and application system development and maintenance.
Examples of control activities that agenciesshould use are described below.

                  l     Data Center Operations Control.- This kind of control includes job set
                        up and scheduling, operations activities, backup and recovery
                        procedures, and contingency and disaster planning.
                         .,               ‘..                -3                   ‘_                                        9
                  l    ‘System Software *Control - These’include control over the acquisition,
   ‘,         .‘.I. implementation, and maintenance~of,all system software including the
               : . :operating system, ,:data‘basedmanagement systems,                                            -
        6..             telecommunications; security software, and utility programs. ”                                       ”
               : ..,,‘.--‘ ,i’. , . .. .                         c                    :  ;  ..   _.      ~  -            :-
                  l     Access Security Control - This. kind-of control protects the systems
                        and network from inappropriate access and unauthorized use by
                        hackers and other trespassersor inap;ljropriate :use!by, agency “.
                        personnel. Specific control activities include frequent changes of
      ./             7.@al-up‘numbers; use of dialyback.access;:restrictions on users to allow
                     ‘. access:only,to system&unctions that they need, YirewaW’ (software
                       :and hardare) toirestrict access to assets; computers; and net works
                       ,by external persons; a&frequent changes of &r&words, deactivation
                       .of.former employees:passwords,,and other techniques. : 1:;.:
                            “...._I :,”., .”., ,:’           ., _::       -.,_,                              ,,.     ..’
            ,. l ( Application System-Development and ,.Maintenance: Control ;- This. kind
                        of control provides the structure for devoloping nevvsystems and : “’
                       ‘modifying existing systems: Included are documentation
                        requirements; authorizations for’2undertaking projects; and revietis,
                        tes@ng,and approvals of development and modification activities
                    ’ before placing systems                       into operation.. iAn ,alternative to -m-house :
                                    ‘5,:-,,j;:j ;:;,:,:;V[..~A,.’
                 .*‘, :,;,>;y,1;,,/.,                          ,,a.( -_
                                                                      ! .. ,.\L:‘8 .:.r:
                                                                                     ..    ‘p’,;,‘;‘.;
                                                                                                  ,‘_‘./   ::. ,-, :..
          : :                     :. ..,I-
                          .,. ,/ -P..;’ ” ...’    ,:
                                                   I          ._
                               development is the procurement of commercial software, but control
                               is necessary to ensure that selected software meets the user’s needs,
                               and that it is properly placed into operation.   .- -
             B. Application                 Control

   This kind of control is designed to help ensure completeness, accuracy, authorization,
   and validity of all transactions during application processing. Control should also be
   installed at an application’s interfaces with other systems to ensure that all inputs are
   received and are valid and outputs are correct and properly distributed. An example
   is computerized .edit checks built into. the system to review the format, existence, and
   reasonablenessof data.

             C. Relationship Between General
                and Application Control
  General and application control over computer systems are interrelated. If the general
  control is inadequate, the application control is ,unlikely to function properly and could
  be .overridden.. The application control assumesthat .the general control will function
  properly and provide immediate:feedback on errors, mismatches, incorrect format of
  data, and inappropriate data access (by unauthorized persons). Therefore, general
  control supports the functioning of application control, and both are needed to ensure
  complete and,accurate:.information .pro.cessmg.
                        .,    :    ,.
             D. Evolving                 Inforrriation ,Xechnology      :;,.                             ::
                 ,.                             : ...,l.,.         I             _                   :
  The .field ofcomputer infoormatiohprocessing is one of rapid technological change.
  Changes in technology will change the specific control activities that may be employed
  and. how they :are implemented, but .the basic.requirements of control will not have
  changed. .&more powerful computers place more responsibility for data processing
  in the hands of the end-users, the necessary controls (for example; routines within
  computer programs that validate data or persons/venders and the procedures
  performed by users,to;ensure accurate processing by the computer): should be
  identified..and,:selected.      ’        :        )..   ’”     I      :
                         _.I : )    .    :
                                        : . ‘.              / .,  ‘,.     ,,;:
         -.$J :Enti&S’ecific     cb;nkvd Activities ‘,                Y .. 1.
             ‘:..p,.~         ” .iL.,,       :,   :     & .:.i    ;;. .::,_‘..       ;:-._ :    .:       ,
  Agencies’ internal control ,activities .will ,be required. to follosv guidance set by ..
- oversight bodies. However, within the requirements, flexibility exists to allow
  agencies to tailor internal control to fit their needs. The specific._.-internal control
  activities used by a given agency will be different from those used by other-agencies,
  due to a number of factors. These-comd include ‘differences in:objectives; managerial
  judgment; .size ‘and com$lexity~‘of theorganizatibm’ operational environment (including
  suck ite~~~~ ‘kkipos~~ TVcam ,risks alndlocution ~.~ ,g~o~~~ljhical.disp&ion?;~           :
                                  .I;        y”      k : ,. :.,:                     I. !,,
  ‘p&e.,24              i :                       ,:.      GAOMMD-SS-21.3.1ProposedRevisionof I/C Stds (W97) ..
sensitivity and value of data; and requirements for system reliability, &ailablility, and :
performance. All of these factors should be considered when designing the specific
control activities needed for an agency to achieve its objectives.       *    r
             .                                                     .- -
Information         tid    Communications

           For an entity to m and control’ its operati?ns, it m&t have relevant,
           reliable information,  both financial and nonfinancial,    relating to external
           as welI as internal events. That information       must be recorded and
           communicated     to management    and others within the entity who need it
           and in a form and within a time frame that enables them to carry out
           their internal control and other responsibilil$es.

Pertinent information must be identified, captured, and communicated in a form and
time frame that permits people to perform their duties efficiently. Information
systems’produce reports containing the information that makes it possible to run and
control the agency. Effective communication of information must also occur in a
broad sense with relevant information flowing down, across, and up the organization.
Management must clearly communicate to all employees that control responsibilities
are to be taken seriously. Employees must understand their role in internal control
and they must have a meansof communicating important information up the chain of
command. Communications must also occur with outside parties such as the
Congress, other federal agencies,state and local governments, grant recipients and
contractors (suppliers), the public, and the media.
                                                                   ,‘,’                                                                        /
           1; Information                                                                                                                      ,
                                                                                                                                   >.          1
Information is needed throughout the agency to achieve au. of the categories of
objectives-operations, fl&nci~ reporting, ar&co,mp&nce. A .given piece of
information may help to achieve only, one. category ,of objectives or it may. be useful in
achieving all of them. Informa&on is identified, captured, processed,,.and reported via
information systems, which may be computerized, mar&l, or a combination of both.
Information systems may gather data in a monitoring mode, .i.e., routinely capturing
specific‘data-‘~ transactions’and events occurT ‘?‘Jesystem may ,also be designed to
recipes;    .,~~~~e;      ‘or aevei~~‘ipe&J            dam “0~ a one time                     ;or ‘occasional       basis    to suit    the
                  *;.      ,,_I., ,, :,, i : ” .:.’                                                                                           ,I
special needs of management.. hiformation syster& must ‘be~,f+ible and able-to’ be
&a&d.     ‘$.&&    t,&&$~&,                 ;ch&@g’         n&s,               of mq,n&gq&nt:          in ‘a%&n&c           operating
and, &&.Yg      ~~Ao&~e~~.                    i.. ,!      )               ,.      i     2    ,,   _      <,                         .
                                                                                    ‘;. .:, ,;:       ‘:                       ‘,
    ., j’ ,-           j”.,,          .,.            .‘..
Information systems are now increasingly becoming’ a p& of the method by’ which
strategic initiatives are implemented by .age~~ie~.~.,,,.~p~?ve~;~e~~ology.
                                                                          in. ,mformation
capture’ and’ analysis.has he@ed m&y en@ies.resp,ond:.mo&rap@ly and @iciently to              1.                                               I
those *~y:se+&*.. k $&A;,       ,~~~~~~;dinfo;~~ti~;n.:~~~~~~~~~;~~ed to- proac.vklyi ;,. :’ :.                                                ;
support ope~ati&nal:,&&e&..~; .g& &.A&         f&?;+&&*~       ,~e enti~‘s actiGties,.          _                                             ,::
    .’       ...‘I ,, ,-.“_      ,., s .__, ,: .. 1__(
Palge25                                                  GA&AIM&9821.3.1~ ProposedRevisionof I/C Stds (E/97)
track and record transactions and events as they occur, and maintain .and report
financial and other data related to operations and/or compliance objectives.

The quality ,of the information captured, maintained, and reported -by the systems will
affect management’s ability to control the agency and meet the agency’s objectives;
The quality of information is measured by such factors as whether the information
content is appropriate, timely, current, accurate, and accessible., These quality factors
are affected by internal control and must be inherent in the information to help ensure
that informed decisions are made /; throughout the agency.
              2. Communications

Information systems inherently imply communications. Information not only must be
captured, but it must be provided to appropriate personnel promptly so that they can
perform their operating, fin&n&l repo&ing, and compliance responsibilities.
Information must be communicated both mtetially and externally to other, appropriate

          A.        Interrid   Commun@ations
Communications within the agency is extremely’ in-i~ortant for good inter&l control:
To ensure that effective internal communications can ‘occur,’the fouov$ng kinds of                   ,
control should be in place.                         .*
                    I                      ,’                    ,‘:
       l All personnel need a clear messagefrom top management that internal
         control responsibilities are important and must be taken, seriously.

             l     Specific duties must be made clear to each individual, and each person needs
                   to understand the relevant aspects of internal’control ‘and how its role fits
                   into it. Emfiloyees should,aiso know hoiv his or her, work relates to the
                  .work of others. This ,will heib in recognizing problems, determining c&s&,
     /            -and~taking    corrective action.
                        ,<.,     : .-                                ,’
                                                                        :             ”
                                                                                          i  ‘:
          l        Employees’should know th&t when the unexpected:.‘_/     occurs m performing
                   their duties; attention must’he given,not only to the event, but .to the~cause
                   as well;’ s;O,tiiit ahy ijotential control v&&nesses ‘can be iden&ed: and fixed.
                   For example,’ changes;in mternal operating policies ‘may need’to be reviewed
                  ‘and approved*by apljro&iate levels of maIrtagement”~thm the organization.,
                   When evidence of approvals are not available, corrective’~~tion’shb;uld take
                  place prior to implementation.                                                ,‘,
                             /\       .. .,) ., ‘.: :
         l          All: personnel should knovv what behavior is’ acce$ble ,and unacceptable.
                    An&xample, of,unacceptable~behavior can occur -when a’manager, ,under -: ,.
                    pressure’ to meet deadlines and budgets, u&i&-+& sends the  ,. :.wrong.,‘:’ ‘,,’~:
                 ,,:; ,, ‘,’ : ‘,.,I .,,, <.,.I                     ,, ‘,

Page26                                           GAO/ADD98-21.3.1 ProposedRevision of I/C Stds (12/S??)
     --                                           ,- ._
                         messageby telling subordinates ‘I...to meet the deadline-and budget anyway
                         you can...”
                    l    Personnel should have a means of communicating information upstream
                         within the agency. There must. be open channels of communication and a
                         clear-cut willingness to listen on the part of management, especially since
                         potential problems can be minimized or even averted by listing to staff

                    l    In some instances, informal or separate lines of communications are needed
                         to serve as a “fail-safe” control mechanism for normal communic&ons

                    l    Person&e1need to know there will -be no reprisals for reporting information.

                    t Agency management must keep internal oversight groups, such as senior
                      management councils, updated on .performance, developments, risks, majiir
                      initiatives, and any other significant or relevant events. ”
                B. External Communications

     The agency must communicate with many external groups that can have ,a very:’
     serious impact on programs, projects, operations, &-rd other activitieti4ncluding
     budgeting and financing. To help ensure that effective external communications exist,
     the following types of control should be established.
             i ~ommunications.channels must be established and kept open to customers
               and,,others that’ the agency serves’as well as with contractors/suppliers:
               These,groups can provide ~signit?cantinput on quality and design of agency
               outputs..            -, .’        ”
                                                                                                                                                                                 :   .:   / L                                    .I,

         ..     l       Anyone. dealing with t&agency must be made to understand that- improper
                        actions, such as improper billings or kickbacks and other improper pkym6nt.s
                        a          not be t&rated.                                     , :,             .:                                    ‘. .._              ,’                        ,      ..’ x            .‘.                      .’1.:

                l       Communication, from external parties (other. federal :agencies,‘;stateand local
                        governments, contractors/suppliers, and other related third parties) should be
                        encouraged as !it can provide information on the functioning ‘of mterna& :I.
                        control. :.Co.mpla&s -or jother inquiries (for, example, Uiose~~cohc~rning ~
                        services provided such as shipments, receipts, billings,. or ,&her activities) .’
                        should. be ,welcomed as they. can pointout ,contro$ problems:’I They shoriid be
                        f&&wed                  ,.by     personnel.                      independent                             of       the         -od@&                     ~~~~~~$&ck:~,                                          .,A>!:' I ;, i, ':.   :, ,< 1, .. .
                                   :       ;.                                                                                           _' ,,I .._L                ',.,";..,,,. z:'.;.;.; .,'I'.., :'                 I .;<- .!-;:$~~:-. z,-;,; ;,z,,,&J it;-,. u
                              :            .:, L :             $., i ,, :I.:, 1.1 ,,         ;i: \&+.p:.* .&,,,#. ,, ::/ .-;, ,-.j3,".'.--$s,..~;
                                                                                                                                       .$,:, -v,..+.. . < ,'.'l                     s+ $:.; ,,~       ,,'<,G..I:,!a.&% -$1C'+A _.r:S^;~~.,V~~I,.      i I // .;              .;
                        ,. i                                                         .,-: i ,-<:<" : .,_,, ,., ~.$.W.cI _,                                 . I,( ?. ;'.".,'t.! ,,: ,..            .. o-k,,.!    L.2 i*,L..~C,:,I.^...    ~‘ "~,~.".',‘~ ,.I :
                                                                                                                                   ',          :I  ,, ,, :,,  ',:i     ~    ,,.,,. ;:.-I ,;;    *    ,,, . .     ":  ,%.,.'i', i'- lhii.,<..           i    1 ; i < >'  ..,Y
                                                                                                                                                                                                                                                                       ,?( 7
                         _, 't,,.
                              .,.,! ,,_   '- .L,,.:,,.      .,         ,:                .-.       : ;*,.,,,.., , '. ) i '. .,.: :       (,: I. /(                          _I.                    .,,,, ,, .. 'so! _. jj I:: >.‘.-qc ,.:: .,: .I                 -
                             5.                                                                                                                                                              ,'

    ,Page 27                                                                                            GAOMMD-9S-21.3.1                                          Proposed Rhsion                                     of’&                 Stds (W97j
     : ,.. ..               ‘,         ,, “,                                        ,.                             ‘1                                                                                                                                               . ..
                                                                                                . -
              l   Management must make certain that the advice and recommkndations of
                  Inspectors General and external auditors are fully considered.
          ;         .‘.          /.     8                                  .- -
              l   Communications to the Congress, state and local governments,
                  contractors/suppliers, the public, the media, and other external parties should
                  provide information relevant to their needs so that they can understand the
                  circumstances and risks facing the agency, and thus better understand the

              3. iMeans of Conmkticating                  _,

     Communication may take many forms including policy and procedures manuals,
     management directives, memoranda, bulletin board notices, videotaped messages,
     e-mail (as well as other electronic means of conveyance), speeches, etc. However,
     one of the most powerful forms of communication is the action management takes in
     dealing with agency personnel throughout the organization and in the support
     it demonstrates to them.                       ,’                          ,.

     Monitoring                                                                                       :

              Inteeal      con@01 must be monitored.              Monitoring            is a process that          ,.
              yse+,ses the quality of performance                over time.                                        ,:,
                                              ,’                                    ;
                ~:‘j,‘! .,
      Since conditions change over time, management needs,to determine, if the internal
     control continues to be relevant and continues to address new or changed risks. This
     is done by,,ongoing monitoring activities, separate evaluations, or ~a&mbi&jtion of
     both. Ongoing monitoring occurs during normal operations; ,It includes regular
     management and supervisory activities as well as other certain actions personnel take
     in performing their duties. The scope and the frequency of separate evaluations
     depends mainly on management’sassessment of risks and the effectiveness of the
     ongoing monitoring procedures. Internal control deficiencies should be reported up
     the, chain of command, with serious matters reported to top-level agency management
     and externally in accordance with F’MF’IArequirements. .:- ~ “, ..          #

        .,<’1.. Ongoing dfonitqring            Activities’,     ‘... ;       ‘,           I..                 ‘,
                  ?    .,a,                           ,..                , -. ’ ~       ,,>               ;‘ “!
 Internal control should be ;designedto -monitor, itself. The greater the degree and the
 more effective, the .:ongoingmonitoring is,.:the less need forseparate -evaluations.
 Ongoing monitoring activities are .performed continually .and ‘are,ingrained in the
 agency’s operations. Therefore, they-are usually more effective than separate;.
 evaluations. Activities which. serve to monitor internal control in the brdinary course
 of operations ‘are many and may vary from one agency’to another. IIowever, they _ -,                                    ’
 usually include regular management and supervisory activities, comparisons,

.’                ‘, ., ., ,,.,,^ ,,   ,:,“‘/‘*V ,    :‘.- ,..‘,. I ‘I
 Page28                                              GAO/A&D-9S-21.3.1
                                                                    ProposedRevisionof I/C Stds(12/g?)


      reconciliations, and other routine activities. Examples of ongoing monitoring activities
      which agencies should incorporate into their internal control follow.
                  l    .In the process of carrying, out regular management functions, management
 ~                     should obtain information as to whether internal control is working properly.
                       Operating reports should be integrated or reconciled with financial reporting
  I                    system data and used to manage operations on an ongoing basis. Significant
:I                     inaccuracies or exceptions should alert management to any internal control
                  l Communications from external parties should corroborate internally
i                   generated data. If not, it could indicate problems with internal control. For
                    example, customers paying their invoices help to corroborate ,:bil.lingdata,
                    while customer complaints indicate that ‘deficiencies may exist. Similar
                    situations may exist with other external groups.                 _,
                 * Appropriate ~orgariizationalstructure and supervision should: proGde
                    oversight of internal control functions.- For example, automated-,edits and
                    checks as well as clerical ‘activities help control accuracy and completeness
 /:                -,of transaction processing.. Separation of duties and responsibilities help to
                    deter &aud. :                                .’
                             . :
                 l       Data recorded by information systems should be compared with physical     ,.
                         assets and any deficiencies examined.                                    ,,  ‘i’
                                          .’       ‘..,                              ’
                 l    ‘. Inspectors General and external auditors regularly provide recommendations
                         0n”:improvements‘in the internal-control structure.
                                                                        i“   .1.&Ianagementshould. .take
                         appropriate actions.        ’’
                               :      ;          .
3                l       ‘lhining seminars, planning sessions, and other meetings should provide
i                        management with feedback       on whether ,mternaJcontrol     is-
                                                                                        : effective7 !
                             ., I/   ’    ,’ ,II ,,         .i,               (
/I               l       iEmployeesreg&rly$h&ld ‘be asked_I,..,  to-state $phci;ls;\ whether ,&ey
                        ‘:understandand comply’ with the agency’s code of conduct ‘or similar agency
                         pronouncements of expected employee conduct.
                                                                                                “’’ : ”
              ‘_ 2. Sepyatq              l$valq,atiorg+           .,            ,(        ;       I :. :;.. .~i ‘:... ,j       ‘. ” :                 : .”
                       ,,                                                                     :      (, : ., ‘3                   1 ’ .i..                    .;
                                                                                 : ‘.                                                                         _.
      Whi$ ,monito@& by: ongoing &&it&s- ,pr&&s u-r&&ant feedbackJon.the; internal
      control; separate evaluations of controlcan,be usef@ by’focusing directly :on.the ‘. ”                                                                  ii
      controls effectiveness’.at.,a’spec&c,..time.~Separate evaluations of internal. control may ‘.
      vary iri’@$q’ ,~~~~~~~~~n~~~~,:l~~~.~~~~~ncyi:~~~~~~~p~,   ofsuch, e$luat@r$$ecessary .. )
      for ~ma&gement::@I,B~~~~~~~P~~~~~~:~~~~~~~~~~o~~~~n!:       effecqiveness:of$he ,interr&l i: : ‘,.~.,
      c&-&i           is a m&,&      &judgment              *depe~@$            yvpy    ;.e+ ~significq~eiec+i&                :$&-&:lic-~~~~.~‘I,: J;fi!‘,
                                                             :.        I, ,~,    ;
      +&      &j .I_.:,i;:‘. ‘,i 1, ::     : : :.      ,:    ;    ‘IGAOMMD-6821.3.1
                                                                                  ProposedRevisionof I/C Stds(l&7)‘. ’
 controlled and the importance of control in reducing those risks.? Evaluation of all
 control is usually needed less often than for specific parts of the structure. However
 control evaluation may be prompted by such things as changes in major mar&gem&
 plans or strategies, major expansion or downsizing. of the agency, or significant
 changes in operations or processing of financial data.

   Separate evaluations often take the form of’self-assessments. In such cases
  individuals responsible for a @rticular.unit or function should determine the
   effectiveness of control for their own activities. Inspectors General may perform the
  evaluation as a part of their regular duties. External auditors may also be used, or a
  combination of methods may be employed.,
  Evaluating the internal control:is a process. Specific approaches or techniques may
  vary by agency, but discipline must be brought to the process and there are certain
  basics inherent &i’it The .people performing the evauation must understand each of
  the agency’sactivities and each of the components of the internal control being
  addressed. Evaluators must determine how the controJ ~@ually works and compare .
  that to the Way it’ w& intended to work. T&y must be, alert ,to procedures that have
  become momed over time o.r may $0 longer be performed:. The evaluator must
  andjze i&i-id control, test them, snd assessthe result& of tests performed against
  the backdrop of-esmblished criteria. The u&mate goal is to determine-whether the
 control provides reasonable assurance with respect to the stated objectives.
                                                            .,,         :“c
 There are’‘many types of evaluation methodologies,and tools available. Some of these
 include checklists, questionnaires, flowcharting methods, quantitative techniques and
 lists of control objectives, and direct test@g of contrcl effectiveness. The evaluator
 should use those most a@propriateto the circum&nces encountered. and the. purposes
 of the evaluation. ‘Benchmarking against other agencies, nongovernmental entities, or
 trade or association standards may also be used. Management consultants and
 auditors may.’also be   3 helpful.
                                               .                   ;                   -
Internal control should be”documented. The evaluator’ may find, however, that some
informal and undocumented mternal contra! ‘activities have been-developedand
implemented;     AI!liis control~~may  be,tested by the. evahrator a,r$
                                                                     ., may prove to :b.e
       ,. _,..,:
      %,           <, : .> .;: ,,, j .>
            /. _; I>,,..                                                        ,J>
                                      . .:. ,../                _-

?/TheFederal Managers’ Financial Integrity Act of 1982(31.6S.C. 3612($) s&es &at
heads of executive agencies are to make an annual evaluation of their internal control,
using guidelines established.by OMB:,;.Those’guidelines, .OMB C&&r’ A-123, Revised;
“Management Accountability and Control” states that “Agency managers shoti.id ’ ~,
continually monitor and’improve the effectiveness’of m&agement control tisociated ., ‘,
wit% jtheir programs.. This continual. monitoring;-and other-periodic &&at&s,     should”’
provide, the..ba@.‘for the-agency head’s ziimu~ ~lissessment’ofand report on:’ ., ’        ,,.
mmagement,,contrbl;,., requeea by tie Irite-@w’A&l” .,.‘:.;, :>. ,T?
                                                                   ,‘i ’ :. ,- ‘> “’ ‘C.“.

page30,, ,,   ‘,:       ‘.;,’ ;,, ‘.   \   GAO/@ID-Q&21.3.1
                                           ;’ _.    ,.        Proposed Revision of I/C Stds (E/97)
                effective. Nevertheless, an appropriate level of documentation usually makes the
                evaluation more efficient and helps employees understand how the structure works
                and their part in it. Therefore, the evaluator may wish to extend the documentation
                during the evaluation process and recommend that management document control in a
                formal manner. Appropriate documentation may be needed if assertions are to be
                made to additional parties about control or the evaluation.

                         3. Internal       Reporting of Deficiencies

                Deficiencies in the agency’s internal control can show up via the ongoing monitoring
                activities, as a result of a separate evaluation or via external parties. A “deficiency” is
                a condition within the internal control worthy of attention. A deficiency may
                represent a perceived, potential, or real problem, or an opportunity to strengthen the
                agency’s internal control.

                Obviously, when deficiencies are found, they need to be reported. Exactly which
                problems warrant reporting is highly subjective, but some guidelines can be drawn.
                All internal control deficiencies that can affect the agency’s attainment of its
                objectives should be reported up the chain of command to those who can take
                necessary action. In considering what needs to be communicated, it is necessary to
                look at the implications of the findings. What seems to be a simple problem with an
                apparently simple solution might have more far-reaching control implications. This
                underscores the need for reporting deficiencies or other problems up the chain of
                command. It is essential not only that the deficiency be reported, but that potentially
                faulty control be reevaluated and fixed.

             Providing information to the correct person up the chain of command is critical to the
             effectiveness of the internal control. It is essential that deficiencies be reported to an
             official who is in a position to ensure that appropriate remedial actions are
            implemented. A general rule is that a manager should receive control information
            needed to affect action or behavior of people under his or her responsibility or to
             achieve the activity’s objectives. However, some critical weaknesses have implications
            that transcend organizational divisions and these must be resolved at an agencywide
            level. Regardless of their organizational placement within an agency, the responsible
            official would need supporting information on the nature of matters that could have
            significant financial consequencesor strategic implications, or that could affect the
            agency’s reputation. The head of the agency should be informed of any serious
 ! .        deficiencies,    errors, problems, or infractions of policies and procedures. Senior
 I          managers should be apprised of control deficiencies affecting their units, and lower-
 /          level  managers should be informed of control deficiencies in their units in increasing
            levels of detail as one moves down the organizational structureT., In .addi@n, oversight
 I. ,‘.     groups, such as a senior ,managementcouncil, may:recomm.encllto theagency head,. ”
-1      ‘, ,,which   deficiencies are deemed to be material to. .the,‘agencyas .a.‘%hoIe,.gor*
                 : ,.:. (’ ‘: ::. .,. : :‘., ‘.    ‘, ‘1
                                                                                                                  $iich :$ .‘..::::
                                                            :‘y : .,‘, ::, ,:“‘,-r,,,‘-‘-;‘:i;;.-‘;:;:,;,::‘::~~.~:,;,~~~~,~
                                                                                                                     ;:;;,;‘.,;“;._.:-: ,   _]
 I                                          .‘,,’        .’  _.                                                           .,
                                                                ‘.                                                                    .:,
 /         ’page31 : ‘;’                          ‘,      GAWAMD-98-21.3.1Proposed              Revision of I/C Stds (X2/97)

         conditions are reportable, and therefore should be included in the annual Federal
         Managers’ F’inancialIntegrity Act report to the President.8

                              .                                                                                                 .- -



                                    _,         “.               .1
                         .’         “,.             \
i                                                                                                                  \

/                                         ,’                                                                                                                  ?

/                                                                      I                                                                 .’
i                                              I
I             ,’                                                                       ”               ,’                                                ,,
,                             ,.,    . ~’ ,:,                        ,-”                                                                            :        ,
I                                     ^                                                                     ‘,.’          ” “              .._       i i’:
                              _;.,_I         ,:                                                                                          ”      z; ;. .” ..,
                                                                                                                   ! I,                        --,                            /
                         ‘,                                                 .,
                                                                                                i                                                           ‘,.Y
                                               I’ ;~                   , ,..:                                                                 ,.    .’             ,:.
                   .‘.        :
                                                                                                                          .,:                      :/, .’
                                                                                 ..’             .,.               .’            j,. ’                                   :,
      8see   foo&.,ote-           5, i&@&g                   cse&i         ~m&em&co~c~s                     a      discussed      &., OMB’ &.&&                      ’
      A-123. ‘In addition, see the standard for reporting to external parties.

      page32,                       .,                  ‘,                           ~AOMMD-9g21.3.1 ProposedRevision of I/C Stds (E/97)

The second.group of internal control standards consists of three ,&ndards which
address the evaluation of the effectiveness’of the agency internal control, reporting on
internal ,control to parties ,external to the agency, and responding to audit findings and
recommendations. These standards are discussed below.
Effectivehess        of Internal   Control

       For,internal    control t* be judged effective, managemknt                    must have
       rktionible    assurance :that                     ” L      ”                  ..
             _’ 0.- >:                                        .,.                         :1
       l   the agency’s opefational    hbjectives are being met,
        l   the,‘publish&d financial Statements and report& piepar&d f6r in&rrial
            and external use (such as budget execution reports) ye reliably
  .         ,p&&+;        and.     :                                    ,.              1        I.   ‘.
                ,’                                          ’   ,                        ,   ’
       ‘0 icompliatike      with applicable     lhws and regulations,        is .b&ig    achieved.
                                                                                  :          .’
 Internal control ‘is a process, but the effectiveness of the’control is the state -or
 condition of the process at ‘a specific time. Since internal’ control is~designed,to help
 an entity achieve its objectives, the measurement of effectiveness shocild be closely
 tied to how well interrial~~contr!olis judged- to be helping .managementmeet those,
 objectives. ’ A subset of objectives for internal controL relates to safeguarding of
assets. Therefore,, a measurement’ of the effectiveness of an agency’sinternal control
w&h regard to safe@&f&ng        of‘~s&$~o~dibe’ &s$.        f~~ow~:
             ;   .’ ._           .,; .: ,,            ., .,                     :,  ,.
        Internal contra! can be ,judged:effective: in safeguarding assets if management
        has reasonable assurance that unauthorized ,acquisition; use, or, disposition of ’ i
        the agency’sassets isbeing prevented or detectedpromptly: J.                     -. ’ “:.
         ..;          .. ,j’ .’ .’ ‘,..(     .,_.‘. I, : .\”.,;,. ,(/     ,a     :        ,I..    (
Determining whether an agency’s internal control is effective should be b&ed upon”an
assessmentof whether the five component standards have been met.g The component
&.,&ds .ee fib;ge jj.,& :+lat&eee+Jy ‘to “the f&,&fig                 and dpei,&dfi of ,&.,t&,d j ’
con&ol. :::They &j&& the. &&&y&&g&;;                     .ri&: &&&&it,       .!con~~l &ti&ies;: : :,(
i~~~;itidn .arid’,~c~~m~~a~~n,, and monito~g of’,co~~~l;; ‘The,elective func~cinirrg ‘j
of these component standards provides management with reasonable assurance
regarding the achievement of objectives in one or more of the stated categories or
subsets of those categories. Therefore, these component standards are.the criteria
against virhich internal control effectiveness ‘is measured.                   ‘I ‘- -                   .
All five component standards must be met for ,internal control to be effective. This
does not mean, however, that each standard should be met in an identical manner, or
even at the same level, in different agencies. All the standards have to be considered
in the context of the particular agency and its own set of conditions and
circumstances. Some .tradeToffs may exist between standards. ‘A specific internal
control can serve a variety of purposes. A control des&ed..to meet the requirements
of one standard might also serve the purposes of a control that might ordinarily be
present to meet the requirements of a different standard. In addition, a control can
differ in the degree to which it addressesa particular risk so that a complementary
control, .with hmited effect, together can satisfactorily meet the requirement.
           ‘;.:1,.~ _,., i .       ~,:E. -‘,I :                                       : .‘I;,
The significance of internal control weaknesses must be evaluated -in determining their
impact on the five component standards and the control objectives. OMB’has
                              n materWity ,for reporting ,matters under. the..,FMFIAin Circulars
                           F’inancial‘ManagementSystems;” July 23; 1993. OMB defines a
                             aLcontrol as a material weakness when the agency<head _
determines the &&kness to. be significant enough to- be ,rep:orted.in the required
external I?h@‘IA,reno?..,.Additional guidance:for evaluating financiaLreporting.                       ’
deficien&es,is provided by. Generally Accepted Auditing ,Standards (GUS) issued by
the Amerikn &&itx$e of Cer@ed Public Accountants. GAAS defines a material _
weakness as a reportable condition’! in which the design orioperation of internal
control does not reduce to a r4e&$ively.         low;r$k. that lossesj noncompliance, or
misstatements in amounts that would be material in relationship to the financial
statements being audited ,may.o.ccur and.not be detected w@hin a timely period by
employees.m the normal course of performing their assigned functions. The existence
of a material weakness is prima facia evidence that one or more inte-nal control
objectives are not being met. F’urther, reportable conditions, in combination, may
result in a:mater@l vveafcness. >                   ..,. : 1,         ,. _ >:           ,: .i,: ::.
   .i ,:,,         _i             _.,
                                    _            3      1    :  .,.I ,_,,I ,_ .,“’               ‘I ‘.
Inspectors :Ge.neral-repor&~~&ong*th other reports ,:on agency~,,operationsand f$~ar+al’
report@rg,such as an audit report onthe enti$s, f@tanci@;              s@ement.s,~should:be ),:‘:,:.
considered ,&I.evaluaI$ng..yhether the objectives of mterr@ con@o$,are .bemg-met. 4 :i

                                                  .’           .-.       *   :   :

l”G~‘,defines a reportable con&t&n, as a -matter which’.could.adversely,affect the ,,
entity’s ability torecord,:,process, summarize, and .report financial data consistent,.+I 1
the assertions@ management in the f@anc@ statements. Such def@+-@es .may ,.I <
adversely affect one or more of the five component standards~,of~mter@$;control.. .,
Page34      ; -5”’, ..I :: _‘        ._       ~AO/~9S-21.3.1         Proposed Revision of I/C Stds (12/?7)
internal control deficiencies identified by managers and employees should be reported
to higher level managers in ,the organization.
                                      ,                         .- -
Reporting-to      External      Parties,

         Management’shall   provide an annual public report presenting                     its
         assertion about the effectiveness of its internal’ control.

The Federal Managers’ Financial Integrity Act of 1982requires annual reporting on
agency internal control. The Act directs the head of each-executive agency to provide
an annual statement as to whether the agency’sinternal control complies with the
standards prescribed by the Comptroller General. Essentially, this requires the report
to make a declaration as to the effectiveness of the internal control. If the internal
control does do not comply with such requirements, the report is to identify material
weaknesses and the plans and schedule for correcting those weaknesses. OMB
Circular A-123 “Management Accountability and Control,” provides agencies guidance
on how to satisfy the FMFLA reporting requirement.

Prompt     Resolution       of Audit   Findings

         Audit   findings    shall be promptly      resolved.

Managers are to (1) promptly evaluate findings and recommendations reported by
auditors, (2) determine proper actions in response to audit findings and          :’
recommendations, and (3) complete, within established time frames, all actions that
correct or otherwise resolve the matters brought to management’s attention.”       .’
This standard requires managers to take prompt, responsive action on all tidings and
recommendations made by internal or external auditors. Responsive action is action
that corrects identified deficiencies or demonstrates that corrective action would not
be necessary. When audit findings identify opportunities for improvement rather than
cite deficiencies, responsive action is action that produces improvements.

The audit resolution process begins when the results of an audit are reported to
management, and is completed only after action has been taken that (1) corrects
identified deficiencies, (2) produces improvements, or (3) demonstrates the audit,
findings and recommendations are either invalid or do not Warrant management-;:
action, in the case where management disagreeswith the audit recommendations.

“This standard is required by the Federal Managers’ Financial Integrity Act of 1932,‘.
which states that “The standards prescribed by the ,Comptroller IGeneral under this -1;                     ‘.’
paragraph shall~include standards to ensure the prom~t’resolution of aR audit       :,.
findings.”                                                       .‘,
Page,35 ~‘. :’       5:.       :, :._. _’   ” ‘.GAo/AIMD+B-21.3.1   Proposed Revision of I/C Stds (d/197)

    Management (as well as auditors) should follow up on audit findirigs and
    recommendations to ascertain that resolution* has been achieved. Auditors’ findings
    and recomqendations should be monitored through the resolutioq cd follow-up
    processes. ‘Top management should be kept informed through periodic reports so it
    can ensure the quality and timeliness of individual resolution decisions.

                                  _.I                                                                                   :
                                                                       ,                                      .

                                                                 .a’      .,.,.‘.                                                     ,,,’
                                                                                                          , ,. ”
                                                       _,    ”          a..,.
                                                   .”            ,;, ..“>           -.--_,             ,,! ,. :                              :
                                                                           ‘.’ ,”                     ;_                    _,
                                        ,:   .:                                              ,b’,.’          ‘,    ::            ,,

                                                  GAO/ADD98-21.3.1                            Proposed Revision of I/C Stds (E/97)
     INDIVIDUAL.              ROLES AND RESPONSIBILITIES                                             .__

A    Everyone in an agency has some responsibility for internal con&l. Management,
     however, is responsible for internal control with the ultimate responsibility at the top
/j   with the agency head. Many others within the organization also carry some
1    responsibility for internal control within Iheir particular functional or activity areas.
I    Many groups external to the’agency contribute to. the effectiveness of the internal
     control, but they are not usually considered to be a direct part of the structure.
1.   Management
     Agency management is directly responsible for all activities of the entity including
     internal control. Of course, management at different levels.has diffkrent internal       7
     control responsibilities. The head of the’ agency has ultimate responsibility and his’ or
     her influence dn internal” control cannot be overstated.-j .The senior managers at the
1.   activity level:and in the functional. areas should hive responsibility for internal control
1    related. to their units’ objectives and they should provide direction and guidance for
1    effective internaL.control.;policies.and procedures within, their areas. Likewise,, down
!    the chain of command,. lower-level managers a&supervisors should take,
     responsibility for more specific intern&l control activities and ,procedures. ‘.
!    Agency Chief Fimincial Officers (CFO) and other financiti id accounting personnel
I    are of particu@r significance in monitoring internal control since their &%ivities cut
     across all of the entity. They are often involved in entitywide planning and budgeting
     and are in a unique position for detecting fraud. In addition, as a member of top
     management, the CFO helps set the tone of the organization with regard. to, ethical
     conduct and can highlight the importance that should be placed .on reliable financial
     repo~ga,nd~ter&au&~g..                                   :         : I,_   .,   .,   .,                      -.:     ._
                _;            ‘,,’   ,.‘,        .:               I   ..,                   .   ,’       .i . .; _‘,I ;
     Regarding-internal control, one of the.rIiost important units is an audit committee.
     While duties and,responsibilities of aimaudit committee.may vary from entity to entity,
     cem characteristics and.fu.nctions’are common to a;ll, The’committee is. iri the i’
     position to -qixestiontop ,managementon internal control decisions.and to ensure that
     corrective actions are taken. Also, the audit committee is in the best position t6
     prevent or question top management fiorn overriding internal control. In some cases,
     the audit committee includes members from outside the entity, ‘thus further
I,   strengthening the monitoring activities-over control by the committee. While federal
     agencies’usually do not have audit committees,, .I some
                                                           .       agencies-do.
                                                                    : ;; ,I,,,             have    ..^.a,,-..,._,.
                                                                                          ‘,“i,’            &en@ ^, .2.:...:.. : ,.   _,
                           .‘.           ,.,.                              :  ...
                                                                                 I  ..-;
                                                                                   :..._     .._
                                                                                              .-               ;
                ,. ) _’‘“.,, .i ‘,‘.I;‘.1,,,) .- ,“.
                                                 ,, ,$,.
                                                      ‘. .A.           ::.:+:‘1
                                                          . ,(,(‘-.’.:.<;     ..,.:,
                                                                       ,/y’.‘.,   ,:;:;-       “, ., ‘I,.
                                                                                      * .,:,,1.1,         .; ,.-: ., :. j~“.
     Page37 I,         ’      .q            ‘,        ,. Ii   GAO/AI&@-98-21.3.1ProposedRevisionof I/C Stds (E/97)
management council” which can, in many respects, fulfiI1 the role -of a -board for some
agencies. In addition, it may be possible in the future for some agencies to have
groups that fuIfill the internal control functions and responsibilities
                                                                      .- -of an audit
committee. .


AI1 agency employees play some role in developing, maintaining, and assuringgood
internal control. In addition, all employees are responsible,for communicating
information aboutproblems such as noncompliance with .rules or violations of policy,
etc., to higher levels in the entity. To, ensure that alI employees are involved in
internal control, the roles and responsibilities of each person should be well defined
and effectively communicated by management.

Inspectors General
                                           ,                                _L
Inspectors General directly assessinternal :control and make recommendations. to
management for, improvements.: All activities of the. agency are potentially within the
scope -of their review, including operations; financial reporting, and compliance
aspects .of control. Inspectors General should’be independent and have authority to
report. directly to the agency-head to order appropriate action. Inspectors General.
communicate-audit findings, analytical information, and recommendations for use in
helping to achieve-the. agency!s objectives.’ They also alert managementto deficiences
in internal control thatcometotheir    attentior~during the&audits:::    ;”             -

It is important to note that the: Inspector, General does not have the primary
responsibility to establish or maintain internal control. That alw.aysbelongs to the
head of ,the ,agency.
                I.                             ,
Externk:Auditors                      ,’            ,,, :,._.”       ._ :>.’ ;, (          :              j
     ;_ ,:    .hr;: I                                ,“       :           I. ‘)           ,.>,‘,
Whether the agency is audited-by government auditors or a private CPA iirm, external :
auditors can provide a unique, independent, and objective view on internal control.
External auditors usually have:to ~gain~sufficientknotiledge of ~anagency’s-internal ,:, :
control in order. to:~plantheir audit The amount ..of attentiongiven varies .from audit. :
to audit. Nevertheless, ,auditors often are:in a.position to provide management with
useful information :about 4nternaI .control, especially when Ldeficienciesare- found. : ,..’ :
                  .c.;..’ ,. ,:; ‘, “_. ,‘,. .<‘lx’,                1.,       :,;i      .’              /; -. .,: .           ; :’
    ::.._’‘.         I ; :.’ ‘,: ,- .’ :                          :.,. I,              ‘. ., ,. ‘.
                       .’                       j       :-i           .,.             / ;                   ‘_    :’                 :
      i. .: ,.,_ .’ ,’:I: ,’                          :       ,:,
                                                    ..,..! ,; ,,’                            .- - ,,, :, s’,
                                                                                             :.-‘.,:’        ,, “. ,.’.>‘.
                                                                                                                       ;,: ..:-.: -.
               ’ -,A,,>‘“~
             ..,/./ ,I ‘, :““‘::-; :. “.L.,..-i ; (: ,.,
                                                     I; .:* ‘:;:.’ .A.,:y: .: ii -:,.      ,‘,*L;.       ‘/‘$ ;,1. .T .<-,* ‘.;;:.
                                                                                                                     ,T..    ‘,. :;:: i..,(“-
                                                        .,               ,,
‘“See‘footnote 5,~regarding’ Senior. Management Councils as discussed in C&k -“.
Circular A-123.
‘pa& &,’      .A:   i .; ‘<.., : .,   ”         :            GAO/AIb@9821.3.1 ProposedRevision of I/C Stds (Z/97): i
         The Congress                                                                         -

-II      The mission and operations of a federal agency are governed by the                and    legislative
         oversight actions of the Congress. The agency’s internal control is-no exception.
I        Laws enacted by the Congress require the development and implementation of internal
         control to help effectively and efficiently achieve the objectives of the program or
         other requirements of the legislation. A number of laws specifically address internal ,
I        control including the Budget and
t        Corrupt    Practices
                 *Lf_“(i       Act -6rz
         and the FDIC Im,~o~emer&A&of,J
         activities, may also enact additional legislation to improve agency operations that
         result in modified agency ‘policies and procedures (internal control) needed to
         implement ‘the requirements.

1i       Other Oversight Bodies

          Other oversight bodies include the central agencies (OMB Treasury GSA and OPM)
         and GAO. The central agenciesprovide guidance to agencies. For’exkple, GSA sets
         the requirements for certain areas including, federal property management and
         employees’ travel, and the OPM has oversight over federal personnel matters. -
ji       Treasury’s responsibilities include providing financial policy tid procedural guidance
I        to agencies concerning financial reporting and other fiscal matters. ‘OMB has has
         broad responsib@ies for central direction for budget formulation and-oversight of
    I    agency operations, including information ‘security. GAO support&he Congress‘m:its
         role primarily~through audits of.agency operations and the spending of federal ‘funds.’
                :        ;’ j _                                                                           .   ,’
                       “:.           ><      :,: ‘,      :          :    I      ,’                  :
         Other External p&.jes                         ‘,                                   , j .;           “T”-’
                              :’                              ,:                I, :.
         External parties can supply insight to agency managementthat an internal control
         problem exists; ~Thisniay‘come via complaints from’ those the agency serves including
         the public or specific customers, from vendors and suppliers with which the’agency ’
_.       deals, or direct reporting of improprieties by employees. In addition, groups such as
         financial analysts, taxpayer groups, the news media, etc., are allays interested’in how’
1        well an agency is doing or not doing, its plans and objectives, and actions taken in
         response to political and..economic activities. Their investigative andmonitoring
         activities c&’ protide ma&g&ent             fia :inf&-m&& ‘on l-& ‘&&em j$$-$ive the ‘*’ ’
,I       agency’sperformance; the- ‘risks it faces; and the ‘value:of’ its strategies and ,actions.
         This information can    r be useful m enhancing internal: control~to        achieve objectives:
              /                                                          .’        ;.          .. ‘.
i                           ,: .’                                           ;I      ,’     _             ..’ ,1
                LZ                 : I,    ‘, ,.                : :
                                                              ., .,       :    ; .. _           ‘; ‘,/‘ _         ..
                  i ,;                  ,(      ‘,T.,“. i ;,..        ., : .- ; ;. .,“. -;.,>:,,
                                                                                                  .... ,;. :, .A-:, :.     . :
:        13$ee ‘appendix         m .f-+ a m&e   cr&en@e     &&g,    ,of’laws’requirem~~~;         &i’&&i&       i “’   :
    I    affecting internal control.
    j                                                                                                                            ._
        ,Page3?, ,.,.      1‘:                            GAo//AIMQ-98-21.3.1    Proposed Revision of I/C Stds (E/97)
                                    ‘,   .’                     “,;/   ‘.                                          .,            ,’



   INTERN&,            CONTROL                     LIMITATIONS                                .--

  One of the fundamental concepts underlying the definition of internal control is that,
  no matter how well designed and operated, an agency’sinternal control structure can
  give only reasonable assurance, ‘not absolute assurance,that objectives of the agency
  will be‘achieved. This is true because of limitations that are inherent in all internal
  control structures. These limitations include poor judgment and human mistakes,
  management’s ability to override control, collusion by two or more persons to
  circumvent control, and the need to consider costs and benefits relative to internal
  control. In addition, no matter how well internal control operates, some events ,or
  conditions that can affect the achievement of objectives will always remain outside
  the control of management.

   The effectiveness of internal control .may be’limited by the realities of’human           !
  judgments and’mistakes. Decisions requiring judgment must often be made in a
  ‘limited time ,v@o,ut benefit of .full information,, and under the, pressuresof conducting
   agency business.,:,SThese judgmental~decisionsare :likely.to affect :$heachievement, of
   objectives with. or vvithout, good internal control. In, Addison, internal control can,be,
   rendered ineffective by ordinary personnel mistakes. This can happen, for example,
   by personnel misunderstanding instructions or making errors due to carelessness,
   distraction, or fatigue. Another example might be mistakes made by aatemporary
   employee filling in for a regular employee on vacation or sick leave. These types of
   errors ,may occur .because.management..;hasnot provided proper supervision, training,
   or, guidance,, Internal .,control can ,not provid,e absolute assurance of protecting the c
   agency from,,inefficient, inadequate, or inept ,managerial decisions.                  ‘:
                                        ,’                  :        :  . ‘<’      i ,;:
  Mana&&erj~~&yi$le                          ,,                   1
                               ;.,:.                              .%_.. 1            .; : ‘,          _,
  Management,by ,virtue of its authority ‘,may be capable.of’ overrul&prescrib.ed                I.
  policies,’ $roc$ures; or other &$rol’~or improper p&oses with the intent of              :
  personai.gain or’ an ‘enhanced presen.tation of the .age$ncy’s
                                                               ‘financial situation or. ,,
  compliance &.&Lw~
                  .,    Override practices could include deliberate,falsifications or
- misre&esentations to agency ofticials, central agencies,“la&yers,accountants, auditors,
  vendors, and others. It could also include issuing false documents; such as purchase
  orders ‘or receipts. Management override, however, should not be confused with
  management intervention, which is management’s departure from prescribed $olicies 1
  or proceduresfor, legitimate’ purposes. Intervention may, be necessary‘to deal with(2. i.._(,-‘-I
                                                                                             ” 1
                                                                              i :.: .: .      :.:.
  ‘Page4.1’; ,” ,‘,.,i;.s;-.
                         ,.            I.,. ,,,;     ‘: :: (’       (.‘,,
                                                                GAO/MiUb-g&21.3.1ProposedRevision of I/C Stds $2/6~‘~

unusual or nonrecurring situations. Management actions to intervene in internal
control should be documented and disclosed to appropriate personnel.
                                                                      .- -
Collusion   .

Collusion can result in an internal control failure. Individuals acting collectively ,to
perpetrate and conceal an action from detection may be able to alter financial data or
other management information in a,manner that cannot-be identified by internal

Costs Versus Benefits

Each entity must consider the relative costs and benefits of establishing specific
internal control. Jr-deciding whether a particular control should be established, the
risk of failure and the potentiaLeffect on the entity should be considered along with
the costs of establishing and maintaining the control. Usually, it is easier to estimate
the cost of establishing the control as opposed to the more subjective,measurement of
the benefits provided. Even so, measuring cost can be difficult, especially with regard
to issues such as management’s commitment to ethical values or the competence of
personnel. In addition, the complexity of cost-benefit determinations is compounded
by the interrelationship of) control when .it is “built in” to the businessprocesses and
when several internal control activities operate together to mitigate a particular risk.
The challenge is ‘to find the right ,balance.. Excessive control is costly and       r
counterproductive. Too little control presents undue risks. However, management is
responsible.for maintainmg effective internal control and the burden of proof rests
with management in determinin g costs verses benefits of internal, control.

                               _‘.,‘-   -GAO/MMDBS-21.3.1ProposedRevision of I/C Stds (124
    APPENDIX         I                                                     -

    QUESTIONS              FOR RESPONDENTS          TO THE PROPOSED              STANDARDS

    Suggestionsand comments on this exposure draft are welcome from the entire federal
    community, the accounting and auditing profession, and academic community as well as
    others interested in improving the development of federal internal control. Comments on
    any section of the document are encouraged. Specific questions and issues related to
    each section and standard are presented below. These questions are intended as an aid
    for respondents reviewing the draft. Reviewers are not required to comment on,the
    questions. Neither are they precluded from commenting on topics not specifically listed.
    Responseswill be most helpful if they include relevant information, rationale, and
    alternatives, rather than mere expressions of ‘preference.

                ,” ., ‘:
              1. The most important and fundamental concepts underlying internal control are
                 presented in this section.. These include the view- of internal control as a
                 process, run by people, ‘aimed at achieving objectives in one or more
                 overlapping categories, and providing reasonable assurance that. those
                 objectives are being met. Are these~fundamental concepts complete or would
                 you suggest others that should be discussed here? If so, please list them and
                 explain your reasoning.      -

    Control     Environment

              .2. This standard discusses seven major factors that significantly affect providing a
                  positive and supportive attitude toward the agency’s internal control. Are
                  .these complete? If not, what additional factors should be added and why?

    Risk Assessment

              3. This standard calls for the identication of internal and external risks which
                 the agency may face and provides examples of several possible techniques for
                 identifying those risks. Should any additional ones by discussed? Should any
                 be removed and, if so, why?

              4. The.standard describes that risk analysis includes estimating ‘risk significance,
                 frequency and,likelihood of occurrence, as well as considerti>g actions to be
-                taken to manage the risk. Do you agree vvith this ~presentation?Are there

                                                                  ProposedRevision of7I/C Stds (Z/97)

          other issues regarding risk identification, analysis, and management that should
          be discussed at the broad standard level?
                                                                   .- -
 Control Activities

       5. This standard discusses 10-major types of control activities (control
           procedures, techniques, methods, mechanisms, etc.) and states that these are
           not meant to be a&inclusive. Are there additional ones that you believe should
           be included here? If so, what are they and why should they be included?
      6. Realizing that a standard is broad, high-level guidance, are the discussion and              ’
           requirements of this standard adequatewith regard to control over information
           systems? If not, what additional information or requirements should be
Information and Communications

       7. This standard discussesand explains control that should be in place for the
             agency to gather information and communicate it to those who need it, both
             within the agency and external to it. Should any additional specific control be
            ,included? If so, what control, and why?
Monitoring        >.
                      .’                                                     9
       8. >Thestandard ,presents two forms .of monitoring-ongoing evaluations and
    .,:. ‘. separate,evaluations, and discussesthe control activities involved -in each. Do
             you agree with this presentation and are there any additional control activities
             that should be added to either type of monitoring?

Effectiveness of Internal Control

       9. The standard presents criteria for measuring the effectiveness of an agency’s
          internal control based upon whether, and to the degree that, the component
          standards have been met. Do you agree with these criteria? Are there other
          methods or criteria that should be used to measure internal control
          effectiveness? If so, please explain.

Reporting to External Parties

       10. Some specific requirements for reporting on internal control come from
           legislation and are reiterated by the requirements of this proposed standard.
           One requirement calls for the report to be signed by the head of the agency,.(as
           required by law). Should another high level official,%xrch as the agency’s chief

,.Page43   .    ::_.‘I                    GAOMMD-98-21.3.1   Proposed Revision of I/C Stds .(12/97)
                         financial officer, also sign the report? What would you-add to or delete from
                         the proposed standard and why?

    Prompt             ‘Resolution            of Audit                       Findings

                  11. The requirement to include this standard comes from the Federal Managers’
                      Financial Integrity Act of 1982. It has been included almost completely as it
                      appears in the current standards. Do you think it needs to be changed in any

    Individual                 Roles and Responsibilities

                  12. The exposure draft states that management is ultimately responsible for
                      internal control. It discusses the role that management ha‘sto play and then
                      discussesthe roles played in internal control by various other groups, ‘both
                      internal and external to the agency. Do you know of any other groups that
                      should be included in this discussion? If so, what exactly are their J
                      responsibilities regarding internal control?
                    -_,         ,
    Internal            ContrOl            Limitations;

                  13. This section discusses the inherent limitations of internal control and the fact
                      that the internal control .structure can never provide absolute assurance that
                      objectives wilI be achieved. The discussion specifically focuses on certain
                      limiting factors, i.e., human judgment and mistakes, management override,
                      collusion, andthe cost versus the -benefits of-~internalcontrol. Do you believe
                      .any,additional inherent limitationsshould~ be presented? If so, what limitations
                      and exactly how do they ‘affect ,the internal control structure?    ‘.

                   \     :-,                            :                                                         .

                                                                                             .T     ,,.

                                                            ; -..        i


,.,Pageu’                            ,/y      ,j   I:               .,         ‘:   .:.,*.
                                                                                             GAOMMD-98-21.3.1ProposedRevision of I/C Stds (E/97)
APPENDIX           II

                                                                                                      ._ -

              EXISTING           STANDARDSI                                               PROPOSED               REVISION.

 Purpose of Internal
 Control Standards

 This document contains the Comptroller                                   See Introduction, page 5, fkst paragraph,
 General’s internal control, standards to be -                            first sentence+imilar wording.
 followed by executive agencies in
 establishing and maintaining internal’control
 as required by FMFIA.

 Objectives of Internal               Control
 l      Obligations and costscomply with                                  See Introduction, page 5, where Objectives
       :applicable la*;                  ”       i                       lists three major categories of interTkal
  l     AlLassets are.safeguarded against waste,                          control objectives:               : c
        loss;,unauthorized use, and.:..                                            l operations:-Vrelating to efficient and
    .,1misappropriation.           .’ ’                                              effe&ive We of resources,
 l      Revenuessnd expenditures applicable to                                     l financial reports - relating to
* .agencyoperations are. recorded:and                                                preparation of reliable financial
        accounted for properly sothat accounts                                       statements, and
        and reliablefinancial and statistical                                     l  compliance - relating to the
        reports may be prepared and +                                                agency’s compliance with laws and
        accountability of the assets may be                                          regulations.
        maintained.                                                      A subset‘of these objectives is the
                                                                         safeguarding of assets.
              ‘ “’ ‘,                       :,’       j_ :               ,’ ,, ‘i :    .,~.!*,
                                                                                            ,.,.* : .. -,    ‘:-I”
                 ./,  ‘,        .-..  ,.  ”   ,: 1’.
                                                ._         ‘.                        .) /<..,..   .!      :        :
 Re&irements of Management.
    .,: !,       ,,..       ,... ,,: .,                                  See Introduction, page 7, Evaluation and
 l Make an annual evaluationof their                                     Reporting Requirements-similar wording.
   internal control using guidelines
   established by OMB.
      _/,-.;: , -,            .,.,  .:.; .>:
   .;          : .:,c    ..     .)        _. ,“I;:: _; :.-_                                      ,__                1-,;;:: i; iy’: :...,
                                 ,, .,-.(9
                                         ..:,.7,.  .’     ,:,        .,;‘i:,~~:f‘,~,:,J,(:
                                                                        ,. _ ,’ ’ ;,;;,.;: ‘.’ !...i.:,,‘:-;“.’ ;.,-~                  , 1’,,.
                           - _,‘I,,. “_; _..., ! .,. ‘. *i             ,“,‘,T;:
                                                                              _.‘.,. _;‘;-
                                                                                   :-1 ,._‘Z”.
                                                                                                :  ._     ,    I, .-,(
                                                                                                                 . h”..,    .,,
                                                                                                                              :;,: ,,, ‘... .    ‘1

‘%andards For Jnternal Controls In the Federal ~Government,”GAO, 1983,Title 2,
Appendix ‘III, GAO Pohcv’and Procedures Manual for Guidance of Federal Agencies. ” ’

Page45                                                          GAO/AIMD-9821.3.1ProposedRevisionof J/C Stds (E/97)
                                                                     See Monitoring Standard, page 30, footnote
                                                                     7 states that continual monitoring and
                                                                     periodic evaluations should provide the
                                                                     basis for the annual assessment.

          l        Provide annual reports to the President           See Introduction, page 7, Evaluation and.
                   and Congress that state whether agency            Reporting Requirements-provide annual
                   systems of internal control comply with           reports to the President-similar wording.
                   the objectives of internal control and with       (Also, see footnote 3; page 11.)
                   the standards.                                    See Reporting to External Parties Standard,
                                                                     page 35.

          l        Where systems do not comply, agency               See Introduction, page 7, Evaluation and
                   reports must identify the weaknesses              Reporting Requirements-similar wording.
                   involved and describe the plans for               See Reporting to’ External parties Standard,
                   correction.                                       page 35.
      Definition           of Internal    Control
      The plan ‘of organization and methods and                     See Introduction, page 5, Definition, which
      procedures adopted by management to                           says that internal control is, a process,
      ensure,that resource use is consistent with                   effected by an agency%ymanagementand
      laws, regulations, and .policies; thatresources               other personnel, designed:to ;provide
      ws safeguarded,against waste, loss, and                       reasonableassurance that. the objectives of
      misuse; and that reliable data are obtained,                  the agency are being met in the.following
      maintained, and fairly disclosed in reports. ..               categories:,,:effectiveness and efficiency of
                  ‘.       ‘.                                       operations, reliability ‘of financial reporting,
                           I                                        and,compliance with laws and regulations.
                     :                                              The definition also~coversthe safeguarding
                                                                    of as&s.          I          :
                                            .                                           : . . . .
      Other. Intro&cterg                  &@erial~
                                    :;;,.:; .” “’         i ‘.                                                          I
      l            The ultimate responsibihty for good               See Introduction, page 6, Fundamental              i
                   internal control rests with management.           Concepts, Internal Control is Effected By          \
                                                                     People-similarwording. ‘Alsojsee ‘I:.
     ,. . .A                       .I                                Individual Roles and Responsibilities, page        i
     ,, .;.‘:, I: .__.           ,.,                 :               37, which.:says the .head..of the-agency:is
                                                                     ultimately responsible for, internal control.
                                                                     See.Introduct&, page 6, Fundamental

      l       -Internal co&o! should not be looked                 - Concepts, Internal Control is a Process-          ‘.
               upon as separate, specialized systems                 similar wording.

              ,.     ”                               .;    ‘:,I.
 ~                                                                                           ._
                     within an agency. Rather; they should be
-1                   recognized as an-integral part of each
                     system - that management uses to regulate.                               .- -
 i.                  and guide its operations.
 I               l   The internal control standards define the           See Internal Control Standards, page 9;
72                  minimum level of quality acceptable for              Introductory paragraph uses same wording.
7                   internal control systems in operation and            See Detailed Explanation of Standards, page
                    constitute the ‘criteria against which               12; introductory paragraph uses same
                    systems are to be evaluated. These                   wording.
                    internal control standards apply to all
                    operations, and administrative functions
                    but are not~intended to limit or interfere
                    with duly granted authority related to
                    development of legislation, rulemaking, or
              ., ,I ,other discretionary. policy-making ,in an
                    agency.                                                )
                             ‘. ’    / ’
                General   Stiindards
1,               .-             ,..(
              Reasonable Asstirance. Internal control                    See Introduction,-page 5, Definition of
  I/          systems are to provide reasonable assurance internal control states that they are
   /          that the objectives,of, &systems Will be                   designed to provide reasonable~sssurance
   I          accomplished.                                              that objectives are being met. See
  1-     ,.. :~ j            .,:‘,‘,T           ,_
   I                                                                   Jntroductionj page 6, Fur&mental >?
   i,        ‘! ., -,       .‘)           ,,             : ‘..‘.’ ‘.‘, i Concepts-one ‘of the ?r&.n concepts ‘is that
   I               ,.‘.’           * ...’         r                      internal control sti?.tcturescan provide only
                  s                                                     ‘reasonable assurance,‘not absolute
1                                                                        assurance that objectives are being met.
.J       .’      ,_. .“.       )                    ‘.                   See section on Internal Control Limitations
                                         1 .::..,                        page 40, where introductory paragraph
-.                                         ,,         ,I                 discusses the reasonable assurance concept.
        ,.-   Supportibe Attitude. ‘.,Managers’and                                  See the Control Environment Standard,
            .-.einployeesare ,to maintairi and -demonstrate :’ pages.13-16~The’“entire_standard relates to
               a positive and supp&tive attitude toward                           Y management and .emljloyees establishing a
             ‘fit&al ‘&n&01’&. ;all times.                                 : :,     positive and supportive. attitude toward
 I              .’ .,                       ,: ,y_; J’i:.,, 1              9. :     internal control. The Standard discusses
           ?            ,^‘,j                                          r’           seven major factors significantly affecting
                              :             ./
                                                                                    the control environment.
 , ._         : ‘, ;                    ,. -, .:. i                      ,,-,‘.
                   .,’.,,,,.                                                                         ,:-
-1’        .a, .“‘.1                  .>:I ,,, ..:_,::‘.I,,,;
                                                       ., $ ,>.(,
                                                                ‘,r-.::y, ,::../:    ,.‘,    .,‘.’,’
 /,      .        .’            :;-. “ ‘.- :. ,:;.,‘\): ,.:,i..,;J’:.~~:;,r.::..
                                                                           :;;:,          ‘.     .-
              ‘:Page~47 ‘, ;   , 4.: ‘.. ‘. ,:      ‘, ‘: ‘I   GAO/AIMD-98-21.3-lProposedRevisionof I/C Stds (X/97)
                           Competent Personnel. Managers and                                   See the Controi l?nvironment Standard,
-”                         employees are to have personal and                                  pages 13-14,Integrity and Ethical Values and
                           professi0n.a.lintegrity and are to maintain .a                      Commitment to Competence. These are
                           level of competence that allows them to                             two of the major factors significantly
                           accomplish their assigned duties, as well as                        affecting the control environment.
                           wnderstand the importance of developing and                         Management.has a primary role in
7                          implementing good internal control..                                demonstrating integrity and. ethical conduct.
i                                                            *                                 Management should be committed to
                                                                                               developing and maintaining a high level of
   -1                                                                                          competence among all employees. See the
                                                                                               Control Environment Standard, page 15,
-9 i                                                                                          Human Resource Policies and Practices,
                                                                                              which states that this factor. ties closely
                                                                                              with the ones on commitment to
                                                                                              competence.and assignment-of authority
                                                                                              and responsibility. Also, see Monitoring
     /                                                                                        Standard, page 29, Ongoing Monitoring
                                                                                              Activities. Asking employees regularly to
     ,:                                                                                       state explicitly whether they understand and
     !’                                                                                       comply with the code of conduct is listed as
     :;                                                     / ‘.           ,’                 gn ongoing monitoring activity which
                                    ‘_                    .,, ..v                             agencies.should incorporate into their
                     ,.              ”                  ,I ”.’                                internal control structures; :
                                                      .‘,      *                                                           _!_ .
                       Control Objeclivei : Internal Control                                  See Introduction, pages &6, De&&ion and
                       objectives are to .be ident$ed ordeveloped                             Objectives. This section discusses the
                       for each agency,activity and are to b.e                                establishment of objectives and subsets of
                       logical,. applicable, ,a+ .reasonably complete.                        objectives for the entire agency. Objectives
-4                                                                                            at these different levels should be linked to
”          ._              . I ;                    : ., c lL,r--. “’                         activities throughout the organization and
;                                                         *._
                                                           .‘         .’                      should be internally consistent and
                            ,i’,.                 :..
4                                 ;                   .,: 2.;. ,.
                                                  ._. __i’                                    complementary.
                                   ,-:,                 /             ::
                                                                  See,ControI. ,Activities Standard, rpages19-24.
                       contro:Z~-~echniauks Int,ernaJControl      YiJGsstandard addresses.control. activities                                     :
           “’ ._.techmques,are <to’beeffectiveand ‘efficient in I which,are the policies, procedures,. :
                accomplishing their internal ,control             techniques, and, mechanisms that-:ensure                                        1
      1I     1 objectives;.                  ,’ ‘?,,,             that management’s directives are being
                      .,‘.                   “,I                  carried  out to meet the agency’s objectives.
     i                              -.           ;                It states that control activities must be
       1                                                          effective and efficient to provide’s high
                           ‘.                                     degree of assurance that internal control
                                                                  objectives are being achieved.          .

            ,’   ,'p-age     48:     :    "   :             ',i   :             ,..   GAOMMD-9S-21.3.1   Proposed Revision of I/C Stds .(12/97)
         Specific Standards             ,,     ,-
                           - /

          Documentation.      Internal control systems See Control Activities Standard, page 22.
          and all transactions and other significant   Documentation is listed as a type of control
          events are to be clearly documented, and the activity that should be common to all
          documentation is to be readily available for agencies. Standard calls for documentation
          examination.                                 of internal control and all transactions and
J                                                      significant events. See Control Activities
                                                       Standard, page 23, Control Over Information
                                                       Systems, General Control: A particular type
)1                                                     of general control is Application System
j    ,‘..                                              Development and Maintenance Control

                                                       which includes documentation requirements.
                                                       See Monitoring Standard, pages 30-31,
t                                                      Separate Evaluations which states that an
                                                       evaluator may find undocumented internal
                                                       control. If these prove to be effective, they
                                                       should be documented.

                                                                       See Control Activities Standard, page 21,
        Recording of,Transqction+ and Events.                          where Recording of Transactions and
        j?ransa&ons .and .other significant events are                 Events &listed as a type of control activity
        to be promptly recorded and properly                           that should. be common to all agencies.
        c@+@fied. : ,. :            : ‘..                              Similar wording .js used. ‘.
            _..z                                                            .                                                        ‘A’
                                                                       SeeControl Activities, Standard, page’21,
         Execution of Transaction and ‘Events.                         where .,Executjon of:ITransactionsland
          Transactions and other significant events are Events is .l.isted as a type of control .activity
          to be authorized and executed only by                        that should be common to all agencies.
         persons acting within the scope of their                     Similar ,wording is used. -: :.
         authority.                                                                              ,’                              :..‘I
                                                                       See Control Activities Standard, page 21,
         Separation of Duties. Key duties and                          where Segregation of Duties is-listed as a
         responsibilities in authorizing, processing,                 type of control activity that should be
      ,. ,record@g,and review+g$ransactions should cqmmo.n,to.,alJ’agencies;. Similar wording is
         be separated among ~in&viduals,        ‘:‘,                  used. Also, see Monitoring Standard, page
                                                                      29, Ongoing Monitoring Activities,where
                                                                      separation of duties and responsibi.htiesis
                                                                      listed as an ongoing monitoring activity
                                                                      which agenciesshould incorporate into their
                                                                ,’ ;, -intern@   control.
                                                                                         ;_ .‘i’.  structures.~
                                                                                                       .” ,y;‘.. ;-  ‘., I :.,,:!j: :
                                         ” ‘<*?     _’    :.*.r&:;-
                                                               I y
                                                                                  ,.  ;,              ‘:.        i                         .
                                                     .’‘: ,;,,,                       ~ ::...;‘T.,, !.,‘i:
                                                                            : .-,: ,,‘,:                      ;;;~~~~‘,,‘~,‘.,~,.r
                                                               ..,.,,              ,,..- “:;,,-. 2;.,...,,._,,,
                                                                                                                  .I ,’
     : Page49:. I’.,,.-.         ., : ,, ,:.        1    :_,-. GAo/AIMD-98-21.3.1       Proposed I&ision      of I/C Stds (12/?7)
           Supervision. Qualified and continuous                               See Control En%onment Standard, pages
           supervision is to be provided to ensure that                        1415, Assignment of Authority and
           internal control objectives are achieved.                          Responsibility, which states that implicit in
                                                                               the assignment of authority tid ~
                                                                              responsibility is the requirement to provide
                                                                              qualified and continual supervision to keep
                                                                              employees aware of their duties and to
                                                                              know the extent of their accountability.
                                                                              See Control Environment Standard, page 15,
                                                                              Human Resource Policies and Practices,
                                                                              which calls for supervision, review, and
                                                                              approval of assigned work. Similar wording
                                                                              is used. Also, see Monitoring Standard,
                                                                              page 29, Ongoing Monitoring Activities
                                .’                                            where appropriate organizational structure
                  .,           ,.                                             and supervision are listed as ongoing
                                                                              monitoring activities which agenciesshould
                                                                              incorporate into their internal control

          A&ess to ,and Accountability for               ’’                   Sed Control Activities Standard, page ‘21-22.
         L Resources. Access to resources and                                 Access Restrictions to ,and Accountability
           records is to .be limited to authotied ‘.                          for Resources:and Records is/listed as a
           individuals, and -accountibility for ‘the                          type of control activity that shomd be
           custody and use of resources is to be                              common to all agencies. Similar wording is
           assigned’and’maintained. Periodic                                  used.
           comparison shall be’ made of the resources                                         2’         :.    ‘.
           with the:,recorded accountability to’ .’
           determine if the,.two agree. The frequency of                                  ’
           the comparison&hall ,be,,afunction of the                                                          ’
           vulnerability of the asset.
             -. 1..
                 ,,.   ,., .’            ‘..
          Audit Regolution           Standard.               :
           . ‘.. ,J .,..;,
                        .‘              ; :‘.i‘                                  _.               ,’                  ,..
       I. Prompt Rekolktion:...               of  Mudit. Findings.        SeePrompt ‘Resolution of Audit Findings
      I,.          ,,__,
                     ,.L“” ir:                 ? 8.~ ;. ,,.:;
                                        iif ,;‘:P                4.
                                                             .,   .j.     Standard; pages 353~similar wording.
              ‘, .-,                 ‘. r’?      (’      i.
          .M&ageri&td:,                          .’ :c .tJj’ : ..
           ..*,, _,            ; ,i^ (                .,      ‘,
            l    promptly “evaluatefindings,:and
           . recommendations reported by .auditors,
i^.                                                                     :L’                   I

                                                         .,: .’ d;AO/AIMD-9F21.3.1      Proposed Revision of I/C Stds (12/97)

                                                         . -
     l   determine proper actions in response to
         audit findings and recommendations, and
                .                                         .- -
     l   compkte, within established time frames,
         all actions that correct or otherwise
         resolve the matters brought to
         management’s attention.

.,                                                  .-
     APPENDIX III                                                           -

     LAWS, REQUIREMENTS,             AND PO&ICIES                          .- -

     LAW/GUIDANCE                                    EFFECT

     Budget and Accounting             Establishes that GAO audits be directed at determining
     Procedures Act of l.!$iO          the extent to which . . . . adequate internal financial
                                       control over operations is exercised.

               Requires the head of each executive agency to establish and maintain systems
               of accounting and internal control designed to provide, among other things,
               effective control over and accountability for all funds, property, and other

               States that GAO audits shall consider the effectiveness of accounting
               organizations and systems, internal audit and control, and related
               administrative practices of the respective agencies.

     Foreign Corrupt Practices         Requires the Securities and Exchange Commission
     Act of 1977                       registrants to devise and maintain a system of internal
                                       accounting control sufficient to provide reasonable
                                       assurancesthat (1) transactions are executed in
               accordance with management’s general or specific authorization,
               (2) transactions are recorded as necessary . . . to maintain accountability for
               assets, (3) access to assets is permitted only in accordance with management’s
               general or specific authorization, and (4) the recorded accountability for assets
               is compared with the existing assets at reasonable intervals and appropriate
               action is taken with respect to any differences.

     Federal Managers’,               Requires GAO to prescribe standards.of internal
     Financial Integrity              accounting and administrative control and agencies to
     Act of 1982                      comply with them.

              Interm4 control provides reasonable assurance that (1) obligations and costs
              comply with applicable law,’ (2) assets are safeguarded against waste, loss,
              unauthorized use, or misappropriation, and (3) revenues and expenditures are
              recorded, and accounted for properly so that accounts and financial arid ”
..            katistical reportsmay be prepared and the accountability of assetsmay .be:

     :P@e52     ,.   ..._-   ‘,I.     ;,      GAO/AIMD-98-21.3.1   Proposed Revision of YC Stds .&Z/97’)

                                                                                                           -.- !
                      Requires that the internal control standards include standards to ensure the
                      prompt resolution of all audit findings.

                      Requires OMB to establish guidelines for agency evaluation of internal control
                      to determine compliance with the internal control standards.      ”
!          .        Requires agency heads to (1) annually evaluate their internal control using the
                    OMB guidelines, and (2) annually report to ‘the President and the Congress15on
                   whether the agency’s internal control comply with the standards and objectives’
                   set forth in the act. If they do not fully comply, the report must identify the
                   weaknessesand describe plans for correction. The report is to Abesigned by
                   the head of the agency.
]                                    i
1         Single Audit Act of 1984’6
I                                           Requires that audits of state or local governments
P                                           receiving federal financial assistance over specified
                                        . . amounts shall determine and report khether the
                                            government, department, agency, or,
                   establishment has internal control systems to provide reasonable,‘a&nuance
                   that it is managing,federal financial assistance programs in compliance with
                   applicable laws and regulations.       : ‘.                              .,

                          -If the audit finds .&y~material weakness& the internal control the State or
)                         local government shall submit to appropriate federal officials a plan for
                          corrections to eliminate such weakness or a statement describing the reasons
                          that correction is not necessary. Such plan shall be consistent with the. audit
                          resolution standard promulgated by GAO. .’               ”
                 ,                  ,‘. ,.       ,.,                      _:          .
                                                                             :’        :,(‘., .,
         Chief Financial OfSicers                     States that the purposes of the Act are to ensure
J         Act af 1990 :                ”              improvement in agency systems of accounting;
3                   ;.                      .I       ‘financial management, and int&ngl’ control; to assure
           ”                                          the issuance”of reliable financial information; and to
                          deter fraud, waste, ‘and abuse of, government resources.
                             : .’ ‘;           i :’                  ’ ,,     (          ..’  .,~.G
                                                                                               ‘I. ;
                   _, “. ., ..: ,’                       ’        .,        1       I,
                                                                                  : .     -.,        ,,:
              ,.           j             ,.           ..   ,,,‘_’                           ”
                       ,,: I-      .,”
         15TheFederal ReportsYEliminationand Sunset Act of I995 eliminates, effective for 2,             1999,
         the requirement to report to the Congress.
I        ‘%e Single Audit Act Amendments of 1996included a number of changes to facilitate
I        m&e ilnifom ~~&~;~~erform&~,,~~ repoi$&,g m&..emefi~~~fof a typ& 6;f::,; ;:A,;..;: : ’
I- :.,   ~organizations;suchas metiuring~the dollarthresholdithat triggers an audit and requiring ‘,’
I        ,wmum      program     coverage      &f&d&~             ~&~c-.      :. ,’   ,; : .      ”   ‘.- 1        : i :_
         :p;Yb 5$   ., ‘. .-I   (’   ,‘..;-   ‘.   _..:. .,,:;    :j. GAOAIMD-98-21.3.1ProposedRevision of   I/C Stds (U/97)
                            Requires that agency CFOs develop and maintain integrated agency accounting
                            and financial management systems, including financial reporting and internal
                              .                                                    .- -
                            Requires agency CFOs to ,prepare and transmit an annual report to the agency
                            head and the Director of the OMB which shall include . . . a summary of the
                            reports on internal accounting and administrative control systems submitted to
                            the President,and the Congress under the amendments made by the Federal
                            Managers’ Financial Integrity Act of 1982.

                            Requires ,government corporations to. s,ubmit an annual management report to
                            the Congress which includes a statement-on internal accounting and
                            administrative control systems by the head of the management of the
                            corporation, consistent with the requirements for agency statements on internal
                            accounting and a~dministrative~controlsystems under the amendments made by
                            the Federal Managers’ Pir+xial Integrity Act of 1982.

         Fedqal Deposit Irqzrance                 .Requires.that insured depository institutio,ns with assets
         Corporytion Jmproyement                  of .$I50 million’7 ,or more prepare an annual report
         Act of 1991                              containing a statement ‘0%management’s          -
                                                  responsibilities for establishing and maintaining an
                        ,,..     >_         I    .adequate  internal control structure. .The report must
                        .also :con@inan assessment of the effectiveness of the internal control structure
                     ;a and. .:. procedures;          ,
                                  .,. ,;.,)   ,;        :         ‘.,.     1             s. ‘~
                         Requires that, with respect to such internal control. reports; the institution’s
                         independent public accountant shall attest to and report separately on the
                         assertions made by management.
                            . .           1,       ‘:’
          Government eerfoymbnce                  The,Act requires .that ,an,agencys strategic plan contain
          and ResultsA%pf J@S?                    six key component& (1) a comprehensive agency
                .s.‘:,.    ,         ‘::.
                                      (‘.         mission statement, (2) agencywide long-term goals and
                                      .,:::. _’1:.obje.ctivesfor, aU major .functions,and operations,
                        (3) approaches (or strategies) and the various resources needed to achieve the
                        goals and objectives, (4) a relationship between the long-term goals and
                        objectives arid the annual performance goals, (5) an identification of key
                        factors, external to the agency and beyond its control,“..that
                                                                                    ..j.~. could significantly
                        affect the achievement of the strategic goals, and (6) a description of :hoti’
              j’ . program evaluations were used.to ,estabhsh or revise strategic goals and a
                                                                   ;,:,      ,. /                  .‘

             :. :‘, I.. 1 :.“::;                     ,, ,’ ,,   ,:,,                          .I I
    I,                               :/.,                               a.,“- .‘,. /
         !7’I’heact provided the, Federal ,Deposit Insurance Corporation 1(PDIC). &th :auhority .to :
I        raise the $&5~million ,threshold., :J?DICsetthe reportingthreshold .for insured depository
         insti~tions foi assemof .$590 million or. more, (12 CFR -363). ;j    .! _I’,   - :. ‘:; ‘:
         ,yp.& c& :.-:;‘,‘: ,.,.; ,   . ,.., .,. ,.
                                               _         :, ,:r   .GAOMMD-9821.3.1 ProposedRevision of I/C Stds (ii/?7)
            schedule for future program evaluations. Internal control plays a major role in
            assisting management in achieving the agencies mission and providing
            meaningful information in ~&IS and reports.
 Federal. F&&ncial                    St&es that much effort has been devoted to
 Management Improvement               strengthening federal internal accounting control in the
 Act of 1996                          past, and, while some progress has been made,
                                      accounting standards have not been uniformly

            Requires each agency to implement and maintain financial management
            systems that comply substantially with (1) system requirements, (2) applicable
            federal accounting standards, and (3) the Standard General Ledger. The
            system requirements are generally recognized as the requirementi contained in
            JFMIF% Federal Financial Management System Requirements series
            documents. These internal control standards.are consistent with the JFMIP
       .    systems requirements.
                              .,   .
            Requires that each agency’s annual audit report state whether the agency’s
            financial management systems comply with the requirements and, if they do
            not tomply, then the report is to state all facts pertaining to the failme- to
            comply. Requires ‘the head ofleach agencyto deterkdr$whether there is
            ~ompliantie based on the -audit rei>oi-t and any other information and, -if,.
            systems’arenot in corripliance, the head,of the agency shall establish a,plan to
            bring the systems into compliance. :        ~

           Requires GAO to report annually to the appropriate committees..of the’:
        : Congress‘concerning compliance titk the requuements kd whether the
         . financial statements of the federal &&nment yhavebeen prepared in ~
     ..    accordance with applikable a&ounting’s~dards~ ‘and whether applicable
           accounting standards for the .federal ~overirment
                                                        _’   are adequate.

 OMB Circular A-123,          ’         Provides guidance to, federa.l r&nag&s on improving
 “Revised,.~~aiza~eriir’ent’ 1 ‘-the a’c6ou$&lity and effe&&,eness of federal programs
 Accountabilftjr, a& : : : t , ‘!^ ;.:!;a;l;id.o$r&o;r;~ by &~jjfi&,j$;; ‘&iesshg, correcwg,
 Control”                               and reportmg on management &ontr$ (internal
                                        control). Essentially, this. is the. OMR guidance for
   (   1.;        , :. (, ’             e%e&tive ‘agenciesrequired by the Federal Managers’

                                                  :      ;_                  :
                                         ._.:,   ‘. ,
                                          . ‘. .,.._  ....’
                                                         ..,.          .T
                                                                        -.. r:.:                ,,- ,:              .,r
                                                  .“.         ...:-;;,y-:;
                                                           r....,,,        :.,,  ‘, .i:-. ‘, ‘;_I; --;        .,.
 OMB Circular A-127, -’         .”    Prescribes ~ol&es and standards for executke                   ( ‘., 1’       i

‘,‘page& ,, 1                           ? 2: : ‘:
                , ,,:_ ,- _’: ‘. -” .;,‘--..   ’ ~~~~‘&k$lMD-9S-21.3.1
                                                                    ‘ProposedRevisionof I/C Stds’(b/97) ’
i--   8

            “Financial Management                       departments and agencies to follow in developing,
            Sgs terns”                                  operating, evaluating, and reporting on financial
                                                        management systems including ,internal control,
                                                        Policies and references pertaining to internal control
                               in. this circular amplify policies in Circular A-123 or highlight requirements
                               unique to financial management systems.

                               ,It requires that financial’management systems include a system of internal
                                control and requires that appropriate internal control be applied consistently
                               to all system inputs, processing, and outputs.

           JFMIP Framework for                        Describes the framework for establishing and
           Federal Financial                          maintaining federal financial management systems, and
           Management Systems                         explains what is. meant by a single, integrated agency
                                                      financial management system. Internal control is an
                                                      essential part of the integrated financial management
                               system, and this document conGins a chapter on internal control that is
                               consistent with these internal control stand&&.

           Statement of Fedehal                         As a’ concepts statement, this document provides
           Financial Accounting                         general guidance.to the. Federal Accounting Standards
           Coricepts No. ‘1,’Obiectives                 Advisory Board as it deliberates on specific issues. It
           of Federijll Fintincidl      ”               is also intended to help others to -understand federal
           ReDortinQ’                                   j3ccountirgand financial reports. This specific concepts
                                                        statement discusses the objectives of federal financial

                            The fourth objective addresses,systems and control., It states that federal

                            “financial reporting should assist report ,users in understanding whether
                            frmi.nci,almanagement systems and internal. accounting and administrative
                          / control’are adequate , toensure
                                                      ,i, ,L that                 ,-

      !                             l    transactions are executed in accordance with budgetary andfinancial
                                  ._ ‘iaws     and other requirements, are, consistent with, the :purpo~es
                                         author&e,d; and *arerecorded in accordance with fe.deral :ccounting
                          _.. . :        $&-j+;                 ”;
                          :,-; ,: _             I i, ,- I_”             .i:
                                  1.. *“,%ets~e properly safeguarded to deter fraud, waste, and abuse; and
                                   l     performance measurement information is adequately supported.

           Page 56                                   ,.. 3           GAo/AIMD-9&21.3.1   ProposedR@sionof   I/C St+ (W97)
                     ,,,.,/.    ;:.   ;.:   :.i .,           ,- ‘_
        APPENDIX                    IV

        MAJOR                      CONTRIBUTORS      TO THIS EXPOSURE     DRAFT

        ACCOUNTING                       AND INFORMATION     Robert W. Gramling, Director, Corporate
        MANAGEMENT                        DIVISION            Audits and Standards
                                                             Bruce Michelson, Senior Assistant
                                                             Larry J. Modlin, Assistant Director

            ,,:-         ”
    .   ;                ;’   ,:

        Page 57


         Ordering          Information                               ~

         The first copy of each GAO report and testimony        is free.
         Additional    copies are $2 each. Orders should be sent to the
         following   address, accompanied    by a check or money order
         made out to the Superintendent      of Documents,    when
         necessary.   VISA and Mastercard     credit cards are accepted, also.
         Orders for 100 or more copies to be mailed to a single address
         are discounted     25 percent.

         Orders      by mail:

         U.S. General Accounting                   Office
         P.O. Box 37050
         Washington,  DC 20013

         or visit:

         Room 1100
         700 4th St. NW (corner                  of 4th and G Sts. NW)
         U.S. General Accounting                   Office
         Washington,  DC

         Orders may also be placed by caiiing (202) 512-6000
         or by using fax number (202) 512-6061,   or TDD (202)                                             512-2537.

         Each day, GAO issues a list of newly available      reports    and
         testimony.   To receive facsimile   copies of the daily list or any
         list from the past 30 days, ,please caIl(202)    512-6000    using a
         touchtone   phone.   A recorded   menu wiII provide    information   on
         how to obtain these lists.

         For information                on how to access GAO reports                          on the INTERNET,
         send an e-mail               message with “info” in the body                       to:


         or visit    GAO’s World            Wide Web Home                 Page at:

                                                                         .-       ‘.’ :.; .” :
    ,_   :..         ,.,                    : ._’ .:. .. ‘..                         . ,. ,. ::’ ;‘.. :,_,, “i : ,’ _. ‘._,_ ‘.
                     ‘.                   ‘.’ .. ,, ,- , “. ,_                   ,.,,,
                                                                              _, ,,.., .-.,,./, :. ‘,.Y
:. ! :                         .,:I (_. ., (      .,..‘_ ,I,.,, .j                        .’
United States
General Accounting Office
Washington, D.C. 20548-0001
Official Business
Penalty for Priv&e Use $300

Address Correction Beauested