United States Ge%er& ~ccountim Office GAO ii Internal Control ._- December 1997 Standards for Internal Control in the Federal Government Exposure Draft .- . \ - PREFACE.. These standards are provided as guidelines to assist managers in “achieving the objectives of their organization. me standards apply equally to program implementation: and administration as well as financial operations. They are intended to help both program and financial ‘managers. ‘. The Office of Management and Budget (OME$)Circular A-123, !‘Management Accountability and Control,” June 21, 1995,provides the req&ements for assessing controls. These General Accounting Office (GAO) standards provide the measure of quality against tihich controls in operation are assessed. The,discussions on the camp-orients“.Iof,, mternal control, such aS.analyzmgrisks and monitoring controls,. are presented as explanations’to enhance the understanding of the standards. ’ ‘, OMB CnxxrlarA-123 uses the term”management control” to cover all aspects of “internal control” over an agency’s operations. The term internal control in this document is synonymous with the term management control in that the broad objectives of internal - control (operations, financial, and compliance) cover all asfiects of an agency’s operations. Beginning with the Accountin *---. faI.99, agency heads have’been required to establish and main ternal control. Since then, other laws have required renewed focus on internal control. The Federal Managers’ Financial Integrity Act of 1g82 (mm), requires agency heads p~~o~~~t~~v~~~~~~~~~~~~~~~,~ .+aJmam,$~j,~>.%.~ -mt~‘?~ol using the guidance issued by the OMB and to .report on whether their systems conform to the standards issued by the ,GAO. Most recently, the se systems. ..,..: .‘j ,“.,/, :, Over the years, GAO has issued numerous publications to assist agencies in establishing and maintaining effective internal control,systems. In 1983,GAO drew on its previously issued guidance and experts throughout government, private sector, and academic communities to develop and issue “Standards for InternaJ.Controls in the Federal Government” to facilitate implementation of FMFIA. Although those standards remain conceptually sound and are used throughout the federal government, this update’ ’ ” enhances the standards to recognize recent internal control evaluation guidance developed by the private sector with assistancefrom, GAO and others as well as to give greater .recognition : ” ,; ,. to:.the increasing use of information/. tech$$gy.~~~,~~;,~/~ . ,. ..‘, ..::,‘I I ;;‘ ‘. ; 0 ‘.,: ‘,‘..! _,:.,,,~rM.,&; ., “/:;.’,.A,.! il. .I ,.:~~;I:.,.~~~~,:i. ,,;;:;‘,,:, I ‘,,’ : )_,:.,,I;..,,,) y, : ,,.‘. .:*.,,.. ‘.,,‘,,,” I :;..:;: ‘_ .’ I_,‘, i .,:> :: _:: :..,,,.,,.I..‘:~i?.. IL ,j;‘,~ .:4‘~.-.‘r’:.~ (. I ,% ; ,._“_ :j ‘,-;! “.f.‘? .,.. !T>., :,,::~,,:.!.::.:.- I,, ,,.;I,:‘.z,. .- ,‘. ,_,,:: ,, ,,,..:, / .. .i’:,: ., ,,_ ,;,,+I’,,, (’,’ ‘:’ -. .’ ,,I,.,_ _, . . ‘__j :, ,;, -2.e::. J. -, : :! .’ :. :! , .,’ ,‘, _,- ,.: -,. ./ ~~AO/hID-98-21.3.1 Proposed Revision of I/C Stds:(2/97) :; . The proposed standards supersede GAO’s “Standards for Internal- Controls in the Federal Government.” They incorporate the existing GAO standards and the components of internal control covered in Internal Control-Integrated Framework, by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). ‘.* The eight major internal control standards contained in this revision follow the COSO guidance.closely and also include reference to portions of OMB Circular A-123 that provide guidance for evaluating internal control. Two of the standards concerning management reporting on mternal control and resolution of‘audit Endings are standards not addressed by COSO but reflect the’ public’s demand for a high level of accountability for government stewardship of resources. These two standards are currently required by law and by the existing ” internal control standards. Appendix II provides a crosswalk from the existing standards to those proposed in this document. When issued in final, these standards will replace the existing standards: : To facilitate review of these proposed standards, they are located on the,mternet on GAO+ Home Page (www.gao.gov/). Additional copies of these proposed standard.s.can be obtained from the Y.S..General Acc,ounting Office, room 1100, 700 4th ‘Street NW,’ ,,’ Washington, DC” 26.548.or by c&g (202) $12-6000. Please send comments by March li, 4,998,to Robert W. Gramling, Director, Corporate Audits and Standards, Accounting and ’ Information Management Division at: !. d.S. Gener~‘Accounting ‘@ice, Room 6089 ‘I 441 G Street, NW Washington, DC.. 20548 3, _’ Accounting and Jnformation Management Division : _,, > : ., . ‘.“ “: “‘.( :. .,. ~ ‘. ’ /’ I i’, .. ,’ r..,: : _. ., ,* .:‘; _.’ I. :... ./.:. , ; . ,) ,, (g~2248) y -. : ‘:. .’ ” ,;’ I. : .I; [, ‘., . . - : .: ..; ‘_: ‘Internal Control-Integrated Framework, Committee- of Sponsoring Organizations of the Treadway Commission (COSO), September 1992. :!p&&:z, ‘:;,. . ,GAO/AIMDQS-21.3.1 Proposed Revision of I/C Stds (W97) CONTENTS : . .- - Preface 1 Abbreviations 4 Introduction 5 / Internal Control Standards 9 Detailed Explanation of Internal Control S&ndards 12 -. / Component Standards 12 Control Environment 13 Risk Assessment 16 Control Activities 19 Information and Communications 25 Monitoring 28 Evaluation and Reporting Standards 33 Effectiveness of Internal Control 33 Reporting to External Parties 35 Prompt Resolution of Audit Findings 35 Individual Roles and Responsibilities 37 Internal Control Limitations 40 Appendixes . I. Questions for Respondents to the Proposed Standards 42 Abbreviations .- AIMD Accounting and Information Management Division CFO . Chief Financial Officers cqso Committee on Sponsoring Organizations of the Treadway Commis&on CPA Certified Public Accountant FASAB Federal Accounting Standards Advisory Bbard FDIC Federal Deposit Insurance Corporation FFMIA Federal Financial Management Improvement Act of 1996 FMFIA Federal Managers’ Financial Integrity Act of 1982 GAAS Generally Accepted Auditing Standards GAO United States General Accounting Office GPRA Government Performance and Results Act of 1993 GSA General Services Administration JFMIP Joint Financial Management Improvement Program OMB Office of Management and Budget ‘OPM Office of Personnel Management i ,:: 1 : :, :.j; ,..-, -. ,, ., ; j. ,,. ), ,,. Cd. I_ 2 ,..l.‘i:~.: ‘.. ? -, ‘. T .;~_ .v .,‘ .:‘;,, ,‘: : .i +age 4 .: :,. : i’ ,, ,,_.. GAO/AID-9%21.3.1ProposedRevision of I/C Stds ,(X2/97) _, I G’ . - - INiRODUCTION 1. . .- - + 1 This document contains the internal control standards for executive agencies,as required by the F’MFIA. Internal control is a major part of the management processes of any organization. Internal control comprises the plans, methods, and procedures used by an entity to meet its objectives. Effective internal control is essential to achieving the proper conduct of government business with full accountability for the resources made available. Internal control helps ensure that an agency meets its missions, goals,‘and objectives; complies with laws and regulations; is able to provide reliable financial and other information, concerning its programs, operations; and activities; and serves as the first line of defense to preventing and detecting fraud.2 They facilitate achieving management objectives by ~servingas checks and balances against undesired ‘actions. In preventing negative consequences,internakontrol helps achieve the positive aimsof program managers. ,’ 1 : DEFIN&ON AND OBJBCTIVBS Internal control is defined as a process, effected by an agency’s management and other personneli -designedto provide reasonable assurance that the objectives of the agency me b&@&-t&v& s &e fo~owi& &tego;fies: : : ._. .’ : _’ ‘:., :. . ../( l Effectiveness and efficiency of operations including the ‘use of entities’. resources. l Reliability of financial reporting, including reports on:budget execution, ‘fmancial statements, and other reports for internal and external use. j l Compliance with applicable laws and regulations. : A necessary‘im’plication ‘or subset ofthese objectives is the Safeguarding,of agency ~t&~*~g&& ~au~@$:a&-&itiofi, ut&,.::or &spo&~on, ~C&&&~&@y,;~~e~ ". ,; ' definition of “interrial~control as it ‘relates’to safegkirdingasseis can be expanded‘to’ - include‘ciocesses; effected ,by an agency’s mariagement and other personnel, designed to orovide reasonableassurance regarding prevention of or prompt ‘detection of u&fio~ed~ia$@t&tiisitidn, ‘~6:~or &sjjo&& of the: &gengy's as&~. ‘ ; ’ ‘, .. .-!* i,’ I_,.‘. ;’ -1 _;:, ‘: ‘. .. Objectives should ‘be‘identified :at all levels throughout the agency. ‘An agency’should I/ first establish its entitywide objectives and then more specific objectives, when -1 : ,. i. ‘,. ; ‘ .:,..j,~. ~1 ., ,* ‘...‘. /: ;; ‘.2Fraud’is.the intentional misrepresentation .of financial information or theft of or I intentional misappropriation of assets. 1 : ., ‘;, pi,-e ~ .’ ‘-,‘;‘,I1:. 1” ., ” ,,.:’ : ~~GAO/NIviD-98-21.3.1ProposedRevision of IX Stds (E/97) determinable, throughout the various levels in the entity. Objectives at different levels should also be linked to atitivities throughout the organization and should be internally consistent and complementary. . ._. FUNDAMENTAL CONCEPTS The definition of internal control and the objectives which it seeks to attain reflect several associated fundamental concepts. These concepts are useful in understanding and applying the internal control standards discussed on succeedingpages, Intern+ ‘Control Is an Ongoing Process Internal control is. not one event, but a series of actions and activities that permeate an entity’s operations. These actions are inherent in the way management runs the entity. Internal control should not be looked upon as separate, specialized systems within an agency. Rather, they should be recognized as an integral p,art of each system .that management.uses (for example, the budget.development and execution ~ systems) to regulate and guide its operations. In this sense, internal control is management control that is built into the entity and are a part of its infrastructure. Internal Contiol Is Effected by People ..’ People are what make ~internal qontrol, work. The responsibility for good internal control rests with all managers; everyone,in the, orgar&at&n plays a part in making it happen. People set the objectives, put ‘the control mechanisms and activities in place, and monitor ,and evaluate,the control., Internal Control Protides . : Reasonable &q&ce, .. I;. Not Absolute Assurance No matter. how .weR,.designed and operated, internal control, can not provide absolute i assurancethat a, objectives $ll be met. ‘iManagementshould designand implement internal controi based on$he .related cost ‘” and benefits. Once in placej’internal control : provides reasonab!e, not absolute, ‘assurance of mee,ting.objectives,because human mistakes:and judgmental errors? management’scapactty to ‘over&de-,control, id acts of collusion to circumvent, control can,hamper. meeting objectives. j Nevertheless,.in’ the federal government,’ internal control effectively designed and operated provides the _ best av$lable .msu.rance.that object&es, of ,the,‘agencyM, be.achieved. : : ‘,Ii .’ ~. .1 ,,, .,. . . ,.Ii : ‘. ” : _ ; : “’ : -, :’ .’ _ .I I’.., ‘, 1. :‘. . : Page:6 :. ‘...k~’ .,:‘. j : GAo/AIMD-98-21.3.1ProposedRevision of I/C Stds (Z/97) Internal Control Is Geared to - Achieving Objectives’in ~ One or More Separate but .- - Overlappin& Categories An objective in one category may overlap or support objectives in another category. In addition, the category into which an objective falls can sometimes depend upon the specific circumstances of an event or transaction or the environment of the entity. Some types of objectives are common to all entities, such as producing reliable financial statements and complying with all applicable laws and regulations. Others, particularly those related to operational efficiency and effectiveness, such as processing loan guarantee applications, are entity-specific and directed at the individual mission and goals of the agency. EVALUATION AND REPORTING REQUIREMENTS The F’MF’IAplaces several responsibilities on agency management for evaluating and reporting on internal control. The act directs the heads of executive agenciesto l annually evaluate their internal control using guidelines established by the OMB and 7 l annually report on whether agency internal control complies with the a5 standards prescribed by the Comptroller General. Where internal control does not comply, agencies must identify the wealmesses involved. and describe the plans for corrections. ORGANIZATION OF THESE STANDARDS This document presents eight standards for the development, operation, and evaluation of internal control for federal agencies. The fkst five of these standards are considered to be components of internal control. They are derived from the way management operates an agency and are integrated with the management process. They are considered essential for effective intern4 control. . The latter three standards address evaluating and reporting on internal control. In particular, the sixth standard provides a basis for determining whether agency internal control is effective. The seventh cites the requirements of FMFU for reporting on internal control. The final standard requires the prompt resolution of audit findings and recommendations related to ,,internal control. .’ _.Z’ ‘, :_ ,, ,_ ... ,. .: I ,,,. : ,. ,. .), -,:,: ,: . :.;,,,: ‘. :‘,”: / : ‘- :. ,;, _, _’ _, “, ,. ‘. , ;..._.‘, .. .,, . ,.‘,,,,“..i I,; .’ ,_.- ,.. .,. . _’ ‘4 ., ,,. ,. i ,, -,.:,,,.,., .‘,. .. x ._ ,_.. ‘. :..‘1:, ,.,:j:I’” :,-‘: ,, - ‘. : :, ‘.’ :: .I ip&‘& ,(.. ., .’ ‘,’ 3-.;y:-,~,I.,; _: ,,?-.., :, bAObhMb~b8L21~3.iProposedRevision of I/C Stds (lU9Q : .; Additional sections discuss the internal control roles and responsibilitiqs of various .’ individuals and groups and explain the inherent limitations of internal conkol. . .- - These standards replace the existing standards when issued in final. . __- :, _’ ., . . ,_.. ,i,.’ ;. _ .” ; ‘, I roposedRevision of I/C Stds (X2/97) INTERNAL CONTROL STANDARD& . .- - The internal ,control standards define the minimum level of qua&y acceptable for internal control in operation and constitute the criteria against which internal control &sto be evaluated. These internal control standards apply to all operations; administrative and programmatic functions, but are not intended to limit or interfere with duly granted authority related to developing legislation, rule making, or other discretionary policy making in an agency. COMPONENT STANDARDS Control Environment Managemeet atid employees &all &taJ&sh and mahtain a, c&&o1 environment throughout the organization that sets a positive ana supPor&ve a’ttitude toward i&r&l con&o1 and con&o1 consciousness. A positive control environment is the foundation for all other standards of internal control, providing discipline and structure. The control environment is the setting which influences the quality .of internal control. Several key factors influence internal control. 7J’hesefactors include the integrity, ethical values, and competence of .the entity’s people; management’sphilosophy ..&d ,operating style; the way management,,assignsauthority and ,responsibility, and organizes and develops.it$ people; and the attention and direction’ provided by .top management and oversight .’ groups: ., .‘. : Risk Ass&meii(1: ! [ ..., ,_ . , : ‘. ., .: _., ,,: ,: ., I@&rx+ con&oi should provide ,. .I ‘for an assessment of the“r&s the agency .$&es from both external and in&&l soe&es. “A, predonditron to’risk assessment .~ ‘is establishment of objectives, linked at different levels and internally consistent. Risk,:.sessment is the identificat&n a@analysis of relevant risks associated with a&i&kg the object& of he agency (for’ example, those program objectives and financialJimitati~ons,set.forth m,.the ‘. budget) and forming a basis for determining how risks should be r&,nage& Becausegovernmental, _: economic,,industry, regulatory, and operating conditions continually change, mechanisms should be provided. to identify a~~dCM with my spec@Jrws =sociated.,; *th $-wgeT.. : .,i~.,,~L~ ^‘. .i .:1.(.,‘(, .,.Y+‘, ;,,..., .,; ,_j :., ./,;...- ,,,, ..a:,.. .”,.*i..-:: ‘; ;,: ,,.:.,,;:.:.:. ; T ,;....’ : _.,_/;sT’“:y, ., .: :;f.y ‘,I:‘IJy< $%,,,.‘e-“.‘C:.:.- .:: * ,.g$. J*fi: Control. Acl$itie6:.‘~:, .’ “‘i”.‘.”..‘.. ‘:‘,::‘I: . .-.‘::l’ ‘::.:if;..:. ., ;:‘:-~.’ ,. -,.yl’; ._;;. ..;:;“j<,::,‘l-;,,,,,: :,. .~.,,,,,: ~~:~~~,?,W~!Y(. ,, .’ +geb“ :‘, ..,:-. ,, :: ‘b, :1 ~._ I 1 :“‘.: ,: .’ ‘~~bAO/AIMD-9S-Zi.3.1 ProposedRevision of I/C St& (W97) ~. Internal control activities are to be effective and efficient in accotiplishing the agency’s control objectives. Control activities are the policies, procedures, techniques, and mechanisms that enforce management’s directives, such as, the process of adhering .to Management orders for budget development and execution. They help ensure that actions are taken to address risks. Control activities occur at all levels and in all functions of the entity. They include a wide range of diverse activities such as approvals, authorizations, verifications, reconciliations, performance reviews, maintenance of security, segregation of duties, and the creation and maintenance of related records (such ak document&ion) which provide evidence of execution of these activities as well as appropriate’ audit ‘trails. ” Information and Communications For an entity to run and control its operations, it kust have relevant, reliable information, both financial and nonfinancial, relating to external as welI as internal events. That informatiofi mast be recorded an4 communicated to management and others within the enjti@-kh6 need it &Sin a f&ni atid *thin a tik frame that enables them ‘to &kry o&h+ inttitial c&i&o1 &nd ,:&her ~e~p,~n&iIiti&s. .., ~_ ,‘~... ,’ .i. ‘M&,itotig‘ ; .‘.J’ ,.,.’ ‘, :. ” ,. . . . ‘, .’ ‘,, . ,; Inter&& co&r61 must be mkitored. %&&king ,is a pro&s ‘that ass&se& &e Qua&$ oi; pe+f&man&e qyer time. .This is $0’ l% ” ;:‘acccir;iplis~~.~~.t~~~ ong&$ modtqag t &&i~&s; &pa&e &du&ons, or “a &ibhati&fi bf:f$e ‘&o. ‘. &going ‘mbdiohg oc-&& h ‘he ‘co&$& of operations; ,It includes regularmanagement ‘and supervisory activities, and other actions personnel take in performing their duties?The scope ‘and frequency of separate evaluations shall depend primarily on the assessment of risks and the effectiveness of ongoing monitoring procedures:‘Iiiter&l control deficiencies should be communicated to the individual responsible for the%leficient function and’also to at. least one level of ‘management above ‘)i;iat in&..dual. s&hoh $~g& dh6tid, ije~~.;-po~&-fb .yp,lF&agemelit:. _. I- _; ; _. i ,. ,,/ _. ‘Vj, .._ ,.;.‘.,,:’,’ ‘, :::,.;.:;,;. E~AL~A~~~‘~~~~EP~I~TING..ST~~DS::,: -iI ’ ” ,. > iI., iq, ‘6,‘. ,,, 2 ‘I:‘,, -:.:.’;,_ : .>’ ,, ‘... ‘. ,.. “3: . ,.. ,- For intern& ,control t&be’ judged ‘effect&; ‘ecti&; niknagement must have. pea&ga&e assu&nce tl&t ,,...; :?. : ^ ! ! .y, ..‘li : :.__. 8’ ._,. ,:. ,. ,_ ‘,. . : J I. l -the agency’s operational objectives are being met,. .’ ,.’ ,.’ :‘. ; :‘. ; . 2, ,.. . . 2, ,.. - Page.:lo,I,::.. . ,,GAO/AIMD-93-21.3.1 ^. ^‘*-- ^^ 21.3.1 ProposedRevision of I/C Stds(W97) l the published financial statements and reports-prepared for internal and external use (such as budget execution reports) *are reliably prepared, and . .- - l compliance with applicable laws and regulations is being achieved. The significance of all internal control deficiencies identified by management, employees,Inspectors General and other auditors, or other sources must be evaluated individually and collectively by management in deciding their effect on the five components of internal control and the related impact on whether the objectives of internal control are be,mgmet. OMB Circular A-123, “Management Accountability and Control,” dated June 2l, 1995,provides guidance on assessing internal control deficiencies. Financial statement auditing standards provide additional guidance in assessingfinancial reporting weaknesses. Reporting tci Externii Parties ,. Management shall prik’de a;n‘annual public report pre:&$king its assertion about the effectiveness of its internal control. The mF’LA requires that the heads of executive agencies report annually to the President! on internal control, identifying any material weaknesses and plans for correctirig ‘them. It also requires that agencies make these reports available to the public. OMB Circular A-123, provides guidance.on ho@ to satis@ F’MF@I’s:repbrting requiremen;: : ._j Audit Resol&on ‘. .‘,.” ’ ‘, : ,. ! ; ,’ .; A&i ‘findkgs ihall’be pro&&y &solved. Managers ,are to (1) promp$y ” evaluate findi&& those showing deficiencies and oth&s,“aInd .. ‘. recommendations reported by auditors, (2) determme proper actions in ., response to audit findings and recommendations,’ and ‘(3) ‘complete, &hin established time frames, all actions that correct or otherwise resolve the matters brought to management’s attention. , 1. __ . .,. ., .._ ,. _ ),:i a’,, i”; ,. ., .’ .,.* i. .’ .Page 11 .J ” , ., ‘, j _,I.!: :_GAO/@ID-&-21.3.i ProposedRevisionof IIC St& (12/97) I - ,, ,’ -: i DETAIL& EXPLANATION OF STANDARDS ,__ The internal control standards define the minimum level of quality acceptable for internal control in operation’ and constitute the criteria against which internal control is to be evaluated. These.internal control standards apply to .all operations;. administrative’and program&c functions, but are not intended to limit orinterfere with duly granted authority related to:‘development ‘of legislation, rule-making, or other -discretionary policy-making ‘in an agency. ,.: The eight internal control standards can be categorized into two groups.” One group comprises the five standards that relate directly to the functioning and operation of the internal control. The second group contains the other three standards which deal v+th evaluating the internal, control, reporting on:,them, and responding.._; to audit tidings’ md reco&*T.2~dati6~s*. ;’ ,’ ,, j, ‘- i.. :I (. ( r :, .; : .: -. ” ,/ i CthHP6~N’I’ !%i$%RtiS’ ” - ‘- ” x ‘1.. ; ~ -_ ,,, ,., .’ ; 9,: ”r - ,. httei?r$- control con&s of fiveinterreiated components ,,which’form an integrated process’that ‘can react to-changing circumstances and conditions within the entity. These components are derived from the way in which agencies conduct their activities and are integrated within the management processes. The components of u&&al control are the, control environment, risk assessment,control activities, information and commu$%ion, and ~mor&+-ing. I&& of.:these components is essentiai to achieving the opera&&~ ‘&m.nc@lreporting;, and com#iance,,objectives of internal control. Fe st&tdards,^for-each: a&discussed.”. below. ” j _, ‘, ‘, .,., j ‘*>. _’ . . ,: ,. ,: :.-:’ ,_ . ; ( _j;:., ;. \* ,‘, .- ?To a large degree, these standards parallel and draw upon the criteria presented in Internal Control-Integrated Framework published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in September 1992. COSO consists of the American Institute of Certified Public Accountants, the American Accounting Association,.The Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute. Copies of Internal Control -, .,.: Integrated F’ramework may be obtained from the Order Department, *American ., .. 1. Insti~t~ ‘of~c~~e~-Pub;lid AcC~~~~, H~borside ,,~~cisil’ Center, .,201 ‘plea ‘mt,.1”-~-, ~’: ;; .:, : ;’ ,.,; ,, ,-i; _. :, : Jersey City, NJ 07311-3881. ; .::‘‘_.’ ,J _;,/ I. ...GAOh6UD-98-21.3.1 Proposed Revision of I/C Stds (i2/97) ,;: $&,i2;. ‘,,“!.-,,,,:‘,.<;:,,..i:: Control Environment -. - Management and employees shall establish and maintain a control ‘. environment throughout the organization that sets a.p&tive and supportive attitude towai-d.internal control and control consciousness.. A positive, and supportive control environment, providing discipline and structure, is the foundation for all other standards of internal control. The control environment is influenc.ed by the, agency’shistory and culture and it, in turn, influences how the agency. conducts its activities. This standard requires that agency managers and other personnel.be attentive to internal control and take it seriously. Attitude ‘affects the quality of. internal control and; as a result, the quality of perfor&nce and the achievement of ~internalcontrol objectives. Attitude is not reflected in ‘any-one. particular tipect of management’s actions, but rather is fostered. by management’s commitment to achieving strong control through all of its actions’ ‘that contribute ‘to a positive control environment. , There are seven major factors that significantly affect the,entity’s control environment. These factors are (1) the integrity and ethical values of management and employees of the agency, (2) the -competence:of its personnel, (3) management’s philosophyand operating style, (4) the way the agency is organized, (5) the manner in which management assigns.authority‘arid respon&ility, (6) how the agency develops and trains its human resources+.and (7) the attention%nd direction ijrovided by oversight groups. ,They arediscussed below: , I : ‘. !$.c, .’ .(._ : .( ,; ,.,:., ‘, . j ‘. .,,;. .,’ ./... .: ./ .: 1.. Integrity and Ethical Values An agency’s top-level management plays arkey’ro1e.m providing leadership and in establishing and maintaining the organization’s ethical tone. It has primary responsibility- for communicating behavioraI standards’to the rest of the’,agency. Managers and-:employees”should:possess and ‘maintain~alevel of competence that Y’ .’ allows them (to .accompli& their assignedduties; ,as well ‘5sunderstand ‘the‘import&e experience for specific jobs. In addition, counseling and perform-mce appra,isa&are important. Performance appraisals should be based on an assessmentof critical factors, including the implementation and maintenance of effective internal control. ‘: .’ .- - Zf. @anagemenCs Philosophy and Operating Style The nature of internal control can be affected by the degree to which management is willing to accept risks and the degree of economic or regulatory control imposed by others. Other elements affecting the entity’s philosophy and style include attitudes toward reporting. (both financial and programmatic) and the use of aggressiveor conservati& accounting principles and estimates ,and other rules for reporting. In addition, the, attitude ,of m,anagementtoward data processing and accounting functions and personnel in general can have a profound effect on internal control. ,One- important way for management to demonstrate its support for good internal control is to emphasizethe value of an Inspector General, external audits, and other eva@tions and studies, and its responsivenessto information developed through such products. 4.~ ~rganizafiqn~qLStrf4cture _.~ J ‘_, ‘, ,. ‘l!he organization,of an agency,provides its. management with the overall framework for planning, directing, ,and controlling its ,operations to achieve is objectives. Good internal control requires that the entity’sorganizational structure clearly define key areas of authority and, responsibility and. establish appropriate lines of reporting. The appropriateness.of the~structure depends,:in part, upon the entity’s, size,aMthe nature of its activities. However, the organization of activities should be designed to achieve the entity’s overall objectives. ,. ” : , .’ .’ 5’. .As+gnment ofAut&@gL,and, &eepo@bilitg : . .. . ‘, ._ ‘. ..,’ ‘., ., .x / . ., ; For an agency-to accomplish.its mission, management must ,delegateauthority and respons@ility throughout the. organization. ,;This delegation covers authority and responsib@ty for) operating; ac,tivities,-report@g .relationships; and authorization :. .protocols., A: crit@l ,i&ernal con,tro~..challenge -is to de1egateenough:t.oachieve the :. ‘objec@es,,but not so!much~-~tSl~~.i,~ternal,con.~~l is si&i&antly weakened. Another challenge.is: ,~n,s~~,that..each.^~dividual knovvs:how:;.his ,orIhe.r actions interrelate and contribute to meeting the objectives; .,~i,&-increased, delegation ,of.authority and ., i. responsibility, management should have effective procedures to monitor results. Individuals should be held accountable for their decisions.and actions.- :,.:,;: . .i’+‘I Implicit. @ the assignment of ,author+y .and respqnsibility is the requirement to provide’ ’ qua&ied. and continuous~supervision. Super@ion:t&oughout the, agency.helps,,ensure that .employees-are aware ,.... of, their dutiesar@responsibil@ies,~&nd:know the. extent to : page.14 ‘;,),1: _..’ ,, : ::.:, ,,, v :(: ,,, ,>,..; ,‘, :_: _ ‘GAQh$MD-98-21.3.1 Proposed Rkision of I/C &is (1,2/97). 3 . 6. Human Resource Policies and Practices . - This factor ties closely with the ones on commitment to competence .and~the assignment of.authority and responsibility. The agency must estabhsh appropriate practices for hiring, orienting, training, supervising, evaluating, counseling, promoting compensating, and disciplining its personnel. For example, related to hiring, the agency should have standards for hiring qualified people, with emp.hasison education, experience, accomplishments; and ethical behavior. Also, training must be an ongoing process and rotation of personnel and promotions should be based on periodic performance appraisals. The appropriate degree of supervision, review, and approval of assigned work clearly identifies duties and responsibilities and helps to ensure the proper processing of, transactions and events, reduces misunderstandings and improper practices, discourages wrongful acts, and provides staff with guidance and training. Bonus and/or award incentives can also be used to reinforce motivation and performance. In addition, disciplinary actions, when deserved, send a messageto the rest. of the agency that certain behavior will not be tolerated. :: : : 7. Oversight Groups : :. .’ Oversight bodies in the federal government are the Congress and central agencies (OMB, Treasury, General Services Administration (GSA), the Office of Personnel Management (OPM), and GAO). In its oversight role, the Congress mandates the? programs that agencies.are to urtdertake4nd the extent and depth of the,.undertaking. GAO supports the<Congress in its. role. The central agenciesprovide, policy arid other guidance.to sagencies.The Congress also monitors -the agencies! progress toward meeting the mandated goals. . +; (.’ ,, Within agenciesi there are also mechanisms in place to monitor operations and programs. These include senior management .council~.~ Such councilsmay mclude high-level line and staff mariagementas ywell as the agency inspector :generaL analogous,ito,the private, sector. Senior Agencies may also have,..;audit~committees. management councils may help to fIl the role of an audit committee and thereby, impro,ve;,fie +gency's internal conb01. .,: ;;, '8:: :'*: ;-I:' y1"z<.C!i ./ ,..p' g;_,-,:. .- .:.r- I ;'I ' : ', , :~5.,,~.;:;~~:.: :.'.. ,.:.. ...," .; : ,_ ,.' : ;_ ./' :./. ., '. 1,: : ^ : ..a,. ,. .' :.. ,:';. .I! :. .,, .:. I:..'. ,.: Risk Assessment - Internal controlshould provide for an assessment of the risks the agen’cy faces. from both external and internal sources. ___ I ’ Every agency faces risks that could threaten the achievement of its objectives. These risks come from a variety of external and internal sources.- Risk,assessment is the identification and analysis.of possible risks in meeting the agency’s objectives and forming a basis for how these risks should be managed or controlled and the deterrents that should be implemented. A precondition to risk assessmentis the establishment of objectives, linked at ‘. different levels and internally consistent. By setting objectives at both the entity and activity levels in terms of.:operations, financial reporting, and compliance with laws and regulations, agenciescan identify critical success-factors. These are the things that must occur or “go.right’! if. the objectives are to be met. Knowing what must go right is. critical to identifyingthe risks of what can go’wrong. 1 :‘, ” ., ,. I The identification and analysis of risk is a continual process that is critical to the effectiveness of internal control. Management must focus on risks at all levels in the entity and act to manage them. l;,L .Ri&1&g&cation ,,. .r . . I ,.’ ,. (. ; ‘, ., ,‘. :;“‘,, Management should be.comprehensive,in itsddentifrcation of risks -‘andshould’. .I consider all significant-interactions ,between the entity and other. parties as web as ‘. : internal. factor-sat both the entity-wide and activity level. Many methods of risk identification may be used, including, .I,. .” :‘. ,. j qualitative or quantitative methods to Adent@ and rank high-risk l .I ,:a&-&&+ *. -:,..;_,. “, / ..\ ; ..: ., I .-., :,.k ‘. .j~...._ ;-J :, :,, ; ,,., l senior management planning conferences, .and: : : :.:” : ;‘.!: ,,-c: ! l short and long-range:forecasting and strategic’ planning; Z: ,,: : ..I’ ,I! , ( ‘(i.’t. i :’ :. ,>j!,* 1’_ : :s ‘, ’ .;, ;: ,., . Management should carefully consider the specific external factors that may present. i ii. ,: risk to the agency. Examtiles of such external factors that could cause risk include the following: l technological developments; l c$rging needs or expectations of the Congress; agency offic&.ls, and ” ,P&&6 _:,-( ‘; ‘:.: .i’.-,;.:, I,_ .;., .:: %AO&IMD-984X.3.1 ProposedRevision of I/C Stds (@/97> Examples of internal factors that can give rise to risk may include-the following: downsizing agency operations, l ,* reengineer&g agency operating processes, .- - ‘. l disruption of information systems processing, l highly decentralized program operations, l the quality of personnel hired and training provided, l heavy reliance on contractors or other related parties to perform critical agency functions, l changes in management responsibilities, and l the nature of the entity’s activities and employee access to assets. In identifying risks, management must also consider other factors that may contribute to or increase the risk to which the agency may be exposed. Examples of such considerations include past failures in meeting budget limits and agency objectives and the reasons for those failures; making improper program expenditures; geographically distributed agency activities; and the significance and complexity of any specific activity which the agency undertakes. 2. Risk Analysis The risk analysis methodology can vary because levels of risk are difficult to quantify. However, the processes of analysis would generally include ‘the following: l estimating the risk signijicance, l assessingfrequency/likelihood of occurrence, and l considering how to manage the risk and the actions to be taken. J All of these must be considered together. A risk that has little significance and low probability of occurring may require no action at all. Yet, one with high significance and high frequency wili usually require much attention. Once risks have been analyzed, management needs to formulate an approach for risk management and control based upon how much risk can be prudently accepted. The approach can vary considerably from one agency to another, but all approaches should be designed to keep risks within the levels judged appropriate by management. Once the approach has been implemented, itshould be monitored and tracked for effectiveness. 3. Managing Risk During Change Because governmental, economic, industry, regulatory, operating, and other conditions continually change, mechanisms should be provided .to identify and deal with any I special risks associated with change. Changing con$tions .often can greatly. in&ease -. _ risks to an agency. Mechanisms should be ‘in place .to help,management‘identify .‘suCh* ‘. x,;y.“ ; .+14.‘. ,,..,, (.’ I ::-,.; ,,:,.,-:., ,;,,:. ” ,,,. “‘-.; y. ,.., ‘,, ‘..;-.‘, / ., ,& i7 : ‘. 1 ”.: -. ,,,, .:,! .:,G&$&&&3.1 Proposed *e..ofl of I/c ,st& (iu97> changes. These mechanisms need not be elaborate, but are usually related to the _ recording and use of information. Some major. changing conditions that warrant special consideration-with regard to risk may include the following: l new personnel in key positions or high personnel turnover; l new or changed information systems; l rapid growth, expansion; or downsizing; l implementation of major new technologies, T production or’ provision of new outputs; and l starting operations in new geographical areas. .’.’ ! . . .“. : ,. . . _:... “. ,,. . :, Ii / _‘I, : ,.. . . .(, j,:.‘., ‘. :. ,-.,.,,.. ,. -_ ,Pw+ : _,, . . . ,,. GAo/AIMD-9S-21.3.1ProposedRevision of I/C Stds (12/97) I - Control Activities Internal control activities arkto be effective and, efficient in 4 accomplishing the agency’s control objectives. .- - ( -: Control activities are the policies, procedures, techniques, and mechanisms that ensure that management’s directives are being-carried out to meet the agency’sobjectives, ;:I including, for example, budget, program, and financial objectives and to prevent and -2 detect fraud. They help ensure that necessary actions are taken to address r,&ks /- 1 affecting those objectives. They can usually be categorized by the specific objective (operational, financial reporting, or compliance) to which they relate, but often a i particular control activity may apply to the achievement of more than one objective. -1, Control activities occur at all levels and in all functions of the entity. They include a -1 I wide range of diverse mechanisms and activities such as organizational plans, i managerial approvals and authorizations, verifications, reconciliations, performance reviews, maintenance of security, restrictions on access to resources, segregation of duties, and documentation of transactions and events and of the internal control .’ k strucQre itself. ’ i,“ !: Internal control activities involve two elements: policy on what should be done and procedures, techniques, and mechanisms to effect the policy. Policies should be in ,I writing and should be implemented thoughtfully, conscientjously, and,consistently. 1 I The procedures, techniques,‘and-mechanismsto implement policy should continually provide a high degree of assurance that’the internal control objectives are bemg achieved. To do so they must be effective and efficient. To be effective, control procedures, techniques, and mechanisms should fulfill their mtended purpose in actual application. They’should provide the coverage they are supposed to provide and operate when and as intended. They should be designed to deiive.maximum benefit i with minimum effort to achieve efficiency. In addition they should be ,regularly -Y 1I .!-1 monitored and evaluated. ;: .l, Types. of Control A&iv&&s i / :I ,. ‘., \ ;: ” II ;. .,‘.;, ,’ . . ! . , I Many different types of control activities .have’.beendescribed’including preventive I control, detective control, manual control, computer control, and management control. Control activities, however, can also be classified by specific control objectives; such as ensuring completeness and accuracy of information processing. ! The fohowing are I certain categories of control activities that should be common to aU agencies.and 1 examples that should .be established‘for’ each. These are presented to illustrate the range and variety of control activities and are not all-inclusive of the controi’activities that a particular.agency may require. ‘:’ ,..: .,.ii,“‘_\;+;..f,. ,_,,_,;. .... , .. y.:’,.;-,‘:,::,,,*.’ . :’ :’:,,,.-,: ; !.:.._ ‘_ ,: ., I”., ; ::,‘_,; !.-.-,;‘y;;;:.’ : , ,I .:-t-.-::I::i -”.>;I’ ,..’:*“.-.;T:I:‘-:::,.:‘y‘-:.:i ,’ .’ :A;;;;,::T*p;&~ei Reiietis .’ .:,:, ;’ ,;;I( ;;,-,;,j.,;,:;,;’ :l,.,;+ ,.. :: ‘. ,.,. : ‘, I ‘,page19 _,_,- : ‘. ..’ : G@AIiW&&l.3.1 ProposedRevisionof I/C Stds(W97) ~ .- , Management should regularly review actual performance versus. budgets, forecasts, and prior periods results. The Government Performance and Results Act of 1993 (GPRA) requires that agenciesdevelop strategic plans that cover a period of .at least 5 years, annual performance plans, and report on the achievement ‘of goals and objectives on an annual basis. (These performance reports start in March 2000.) GPRA requires that agencies develop performance targetsand measures and report results. Top level management should be involved inthese processes. Major agency initiatives should be tracked for target achievement. Implementation of plans should be monitored. Management actions taken to analyze and follow up on such tracking and monitoring represent control activities as well as the agency’s control environment. ” :, B. Direct Functiorial or Activity Management \ The agency’smanagers also review performance reports, analyze trends, and relate result& to targets ‘Financial and .program managers should review reports designed to compare’ performance’ to planned or expected .resuh.s. Other control activities may include reconciliations of summary informauon to supporting detail (e.g.,, control ‘, accounts to subsidiary accounts) and checking summarizations of operations. A varrery or control acuvrues may, be ,usedto, check ,data accuracy, completeness, ,and the appropriate . authorization of transactions.. Data entered :mto systemsshould be’ subjected to edit’ checks and matched to- approved control files. Transactions should be accounted form numerical sequences. F’ile totals should be compared -with control accounts. Exceptions should be examined and acted upon. Access to.information processing data, f&s, and programs must be controlled. ( ,: i, ,,,, D. PJay.&c&lControll: ‘. %, j . Various types of assets such as equipment, inventories, securities, cash, and any ,other assets which may be vulnerable to risk of loss or unauthorized use should be physhlly smu-ed and perio,dica.llycounted and cornpared to amounts shown-on control records. . .” ,’ : “.. ,- : ._: ‘. i ,I.- ,l., .., ..- . ..: ‘, ‘23.’.“.Perfor~ake I>> I&&a~ork_ ,,_ ‘, :’ : .. ).; 1, ‘. . Control activities should be es~tablishedto-monitor performance indicators.. This I :. control could’ call ‘for comparisons and assessmentsrelating different sets of data to. ’ oneanother ‘so that analyses of ‘the relationships can be made and corrective actions,,- ‘if necessary, can be taken. Investigation of unexpected results or unusual trends ,enables,identification of circumstances where achievement of #activity ob;jectives‘j,s .. ,GAO/AIMD-9S-21.3.1 ProposedRevision of I/C Stds (E/97) 'I 1 I threatened. Analysis of performance indicators may serve operational and/or financial ’ reporting control purposes. : 1 :: .- - ~ F. S@egation of Duties ” Key duties qrtd responsibilities should be divided or segregatedamo+different people to reduce the risk of error or fraud. This should include septiating the responsibilities 7 for authorizing. transactions, processing and recording them, reviewing ‘the I transactions, and handling the related assets. To reduce the risk of error, waste, or -I fraud or to reduce the risk of their going undetected, no one individual should con& ] all key, aspects.of a transaction or event. Duties and’responsibilities should be j assigned systematically to a number of individuals to ensure effective checiks and :; balances. Collusion, however, can reduce or destroy the effectiveness of this internal i control activity, and management should reduce the opportunities for and watch for collusidn. ; ‘,; : .’ ...j G. Execution- of Transactions .and‘Events. ‘: 1 ,. :: I’ ‘. Tr&&a@ons &d other significant ever& should ‘be authorized.and executed-only by /. persons acting within,@-tescope .of th&raut$tority. These authorization contiol? ‘.I ‘I‘Ir activities deal with ,managetient’s decisioriSto exchange, transfer, use; ^or conimit i resources for specified,purposes.under--specific conditions.: ,It is’.& priricipsil~m~ans ! of assuring that: only valid ,transactions andYother.events tie initiated -or .‘ent&edinto., : Aut&ofiz@ion should,be clearly communicated to‘ managers and etiplojlees and Should j intilude-the, specific- conditions-and. terms. under which -authorization’sare to be..iiiad& Conforming to the terms of an authorization means that employees We ,c&Vying,Gut their assigned duties in accordance with directives tid within the limitations * is..., : established by law, regulation, and manzigement.,‘. 1 : ’ 1 H; Recording Transactions and Events. : : _, .‘. _.’” : :L..>-.. -. ” ,:: ‘5 / ‘.,,.‘.,,..,:: .i.,’ i,..,.,. 1 (; 1 Transactions and .other &@&ant events should ‘be:promptly rec;orded ‘and -@r’op&lj;r I classifle$ 4’Jransad~onsmust.be,,promptIy recorded if-pertinentinf~r&itic& is’rto .. ‘: maintain ,it.s k-eletiance.,andvalu&t6: maqag~ment~in.contrcUing;opei%itions:,@d&&ing : decisions.- ,Th@applies %ol(i) the, entire’ procesb or life -cycle‘-of% &&s&idri or. Wefit ’ and includes the initiation and authorization, (2) all aspects of the tr6nsactiofi;while in. process, and (3) its final classification in summary records. Proper c@&fication of 1 information on transactions ,and events refe& td the organiiatiori- gd::f&niat’ of ,,. information on summary records from which reports and statements are prepared. ! “, . ..l,. ,,, .;.. : s:.‘,. ,I:, ” ,( .,’,~.,’ ‘..‘,;:. :.1..,’L‘; ‘>,:. ” -v:‘I. Acceq+ Restrictiqns to &j:Acco~~tabi&j .._:.y:i:‘,:L.:L!~f~?ff~I.Y> :‘wT. :tl.f:: :. ../. t . for ‘@ources and &co& .j *‘-;: ::,.I,-.:‘y.!;~::, .ITj,;.::;; : pi;rzi”~~~~~:-~~~.‘;.,? i:>::“;,.::>.:,;. :, ‘Y,I., ,, -, ;I ‘., -, . ,; __,, ., )(J. -. ,,,j. ‘,tF:: .,‘,.‘:,I.: ‘:Ly,,c :,,I, .,!.., ;-,,.. j_ .? .‘s .,’ ;, ,. _i,. ‘,, . ,,, .,.’ ),:; ‘_,. .,,,.,:_.i (,’” .---.’ : -, ‘. ,j ‘. . :, ‘.,“.:,;’ .,. .,, . II _ . .- . ; :;.;*1;- ,. ;;_... .. ‘,’ ., .- : .’ ‘page21 : : i ,, ,.,I_ .i;. ; f.‘. .’ .?. ‘~GAOUIMD-982l.i.l Proposed Revisionof I/C Stds(i2/97)’ Access to resources and records should be limited to authorized individuals, and accountability for their custody and use should be assigned and maintained. Periodic comparison.of resources with the recorded accountability should be made. The frequency-of the comparison should be a function of the vulnerabiiity of the asset.. The basic concept behind restricting access to resources and records is to help reduce the risk of errors, fraud, ,misuse,or unauthorized’ alteration, and to help achieve the directives of management. However, restricting access depends upon the vulnerability of the resources or records and the ,perceived risk, both of which should be ’ periodically assessed. Other .factors affecting access to assets include the asset value, portability, and exchangeability. Assigning and-maintaining accountability for resources and.records involves telling specific individuals within the agency that they are responsible for their custody and use.-- J. Documentatiqn Internal control and all transactions and other significant events should be clearly documented, and the documentation should be readily ava,ilable,for,examination. The documentation of internal control should include identification of the agency’sactivity- level functions, and related~objectives’and control activities; and should appear .m managementidirectives, administrative policy, and ,accounting manuals. .. Documentation. ,of,Qansactions or other significant events should,.be com&te and accurate and should facilitate tracing the transaction or event and’ related information from before it. occurs,.:through its processing,.to after it is completed: :.,The : documentation;. whether .m.paper :or :electronic form; ,should,,be.purpaseful~anduseful~ to managers,in, controlling their Joperations,and to auditors or. others involved in 1 analyzing operations. : “. ‘.. I ’ _., .I./ ., .: ,’ 8’ ., : ‘.. :..I<.~ 2. Integrchon with Risk Assessment:’ Along with assessingrisks, management needs to act to address those risks. The actions management decides to take to address risks also serve to focus attention on con@ :ac,qv@ies put @place to. ensure ‘that.the actions are carried- out properly’ and promp,tly, : ControJ,ac,l&ities are, 8’:majorpar-t of. the process ‘by which .anagency :.‘) achieves its5objectives as opposed to :being implemented, for their: own sake or iT because.‘?t,,,isthe: right‘thing’to, do.:? In this sense,: control is built directly into,the management process. i!” ‘. ..I_ ,..i.‘. :,I., :: ‘, 2. :G ’ .:. ‘- ‘. . ,. +;. yt;.:, ,., i,‘.- ‘i ,, ._(,.I ,_’ /, .I..: ,,, ..; ‘I,‘--’ “.. . 3. Control,Overy Irijformation Systeim” ., ,._ _m :, :i_l,,. ‘, .‘..,< ,.i: i :,,‘., ,, :_>’ ,’ : ,. : Most information systems today are computerized. Special control applies to them.. However, even if the controls are different ,from those used ,in ~manual.systems, they are still based on the same underlying concepts. .’ f: ‘.:J : ‘.I.; ., )page.22,: : ,,i: ). ; :.’ ‘, ,; : :GAO/AIMD-98-21.3.1 Proposed Revision of I/C Stds (B/97) i There are two broad groupings of information systems control-general control and application control. General control applies to all information systems-mainframe, minicomputer, and end-user environments. They also include those manual measures and procedures to help ensure the systems’ continued proper operation. Application control is designed to control the processing of transactions within the application software and include related manual procedures. _’ A. General Control’ These include control over data center operations, system software acquisition and maintenance, access security,- and application system development and maintenance. Examples of control activities that agenciesshould use are described below. l Data Center Operations Control.- This kind of control includes job set up and scheduling, operations activities, backup and recovery procedures, and contingency and disaster planning. ., ‘.. -3 ‘_ 9 l ‘System Software *Control - These’include control over the acquisition, ‘, .‘.I. implementation, and maintenance~of,all system software including the : . :operating system, ,:data‘basedmanagement systems, - 6.. telecommunications; security software, and utility programs. ” ” : ..,,‘.--‘ ,i’. , . .. . c : ; .. _. ~ - :- l Access Security Control - This. kind-of control protects the systems and network from inappropriate access and unauthorized use by hackers and other trespassersor inap;ljropriate :use!by, agency “. personnel. Specific control activities include frequent changes of ./ 7.@al-up‘numbers; use of dialyback.access;:restrictions on users to allow ‘. access:only,to system&unctions that they need, YirewaW’ (software :and hardare) toirestrict access to assets; computers; and net works ,by external persons; a&frequent changes of &r&words, deactivation .of.former employees:passwords,,and other techniques. : 1:;.: “...._I :,”., .”., ,:’ ., _:: -.,_, ,,. ..’ ,. l ( Application System-Development and ,.Maintenance: Control ;- This. kind of control provides the structure for devoloping nevvsystems and : “’ ‘modifying existing systems: Included are documentation requirements; authorizations for’2undertaking projects; and revietis, tes@ng,and approvals of development and modification activities ’ before placing systems into operation.. iAn ,alternative to -m-house : ‘5,:-,,j;:j ;:;,:,:;V[..~A,.’ .*‘, :,;,>;y,1;,,/., ,,a.( -_ ! .. ,.\L:‘8 .:.r: .. ‘p’,;,‘;‘.; ,‘_‘./ ::. ,-, :.. : : :. ..,I- .,. ,/ -P..;’ ” ...’ ,: I ._ development is the procurement of commercial software, but control is necessary to ensure that selected software meets the user’s needs, and that it is properly placed into operation. .- - B. Application Control This kind of control is designed to help ensure completeness, accuracy, authorization, and validity of all transactions during application processing. Control should also be installed at an application’s interfaces with other systems to ensure that all inputs are received and are valid and outputs are correct and properly distributed. An example is computerized .edit checks built into. the system to review the format, existence, and reasonablenessof data. C. Relationship Between General and Application Control .. General and application control over computer systems are interrelated. If the general control is inadequate, the application control is ,unlikely to function properly and could be .overridden.. The application control assumesthat .the general control will function properly and provide immediate:feedback on errors, mismatches, incorrect format of data, and inappropriate data access (by unauthorized persons). Therefore, general control supports the functioning of application control, and both are needed to ensure complete and,accurate:.information .pro.cessmg. ., : ,. D. Evolving Inforrriation ,Xechnology :;,. :: ,. : ...,l.,. I _ : The .field ofcomputer infoormatiohprocessing is one of rapid technological change. Changes in technology will change the specific control activities that may be employed and. how they :are implemented, but .the basic.requirements of control will not have changed. .&more powerful computers place more responsibility for data processing in the hands of the end-users, the necessary controls (for example; routines within computer programs that validate data or persons/venders and the procedures performed by users,to;ensure accurate processing by the computer): should be identified..and,:selected. ’ : ).. ’” I : _.I : ) . : : . ‘. / ., ‘,. ,,;: -.$J :Enti&S’ecific cb;nkvd Activities ‘, Y .. 1. .,~.. ‘:..p,.~ ” .iL.,, :, : & .:.i ;;. .::,_‘.. ;:-._ : .: , Agencies’ internal control ,activities .will ,be required. to follosv guidance set by .. - oversight bodies. However, within the requirements, flexibility exists to allow agencies to tailor internal control to fit their needs. The specific._.-internal control activities used by a given agency will be different from those used by other-agencies, due to a number of factors. These-comd include ‘differences in:objectives; managerial judgment; .size ‘and com$lexity~‘of theorganizatibm’ operational environment (including suck ite~~~~ ‘kkipos~~ TVcam ,risks alndlocution ~.~ ,g~o~~~ljhical.disp&ion?;~ : .I; y” k : ,. :.,: I. !,, ‘p&e.,24 i : ,:. GAOMMD-SS-21.3.1ProposedRevisionof I/C Stds (W97) .. sensitivity and value of data; and requirements for system reliability, &ailablility, and : performance. All of these factors should be considered when designing the specific control activities needed for an agency to achieve its objectives. * r . .- - Information tid Communications For an entity to m and control’ its operati?ns, it m&t have relevant, reliable information, both financial and nonfinancial, relating to external as welI as internal events. That information must be recorded and communicated to management and others within the entity who need it and in a form and within a time frame that enables them to carry out their internal control and other responsibilil$es. Pertinent information must be identified, captured, and communicated in a form and time frame that permits people to perform their duties efficiently. Information systems’produce reports containing the information that makes it possible to run and control the agency. Effective communication of information must also occur in a broad sense with relevant information flowing down, across, and up the organization. Management must clearly communicate to all employees that control responsibilities are to be taken seriously. Employees must understand their role in internal control and they must have a meansof communicating important information up the chain of command. Communications must also occur with outside parties such as the Congress, other federal agencies,state and local governments, grant recipients and contractors (suppliers), the public, and the media. ,‘,’ / 1; Information , >. 1 Information is needed throughout the agency to achieve au. of the categories of objectives-operations, fl&nci~ reporting, ar&co,mp&nce. A .given piece of information may help to achieve only, one. category ,of objectives or it may. be useful in achieving all of them. Informa&on is identified, captured, processed,,.and reported via information systems, which may be computerized, mar&l, or a combination of both. Information systems may gather data in a monitoring mode, .i.e., routinely capturing specific‘data-‘~ transactions’and events occurT ‘?‘Jesystem may ,also be designed to recipes; .,~~~~e; ‘or aevei~~‘ipe&J dam “0~ a one time ;or ‘occasional basis to suit the *;. ,,_I., ,, :,, i : ” .:.’ ,I special needs of management.. hiformation syster& must ‘be~,f+ible and able-to’ be &a&d. ‘$.&& t,&&$~&, ;ch&@g’ n&s, of mq,n&gq&nt: in ‘a%&n&c operating and, &&.Yg ~~Ao&~e~~. i.. ,! ) ,. i 2 ,, _ <, . ‘;. .:, ,;: ‘: ‘, ., j’ ,- j”.,, .,. .‘.. :: Information systems are now increasingly becoming’ a p& of the method by’ which strategic initiatives are implemented by .age~~ie~.~.,,,.~p~?ve~;~e~~ology. in. ,mformation capture’ and’ analysis.has he@ed m&y firstname.lastname@example.org,ond:.mo&rap@ly and @iciently to 1. I those *~y:se+&*.. k $&A;, ,~~~~~~;dinfo;~~ti~;n.:~~~~~~~~~;~~ed to- proac.vklyi ;,. :’ :. ; support ope~ati&nal:,&&e&..~; .g& &.A& f&?;+&&*~ ,~e enti~‘s actiGties,. _ ,:: : .’ ...‘I ,, ,-.“_ ,., s .__, ,: .. 1__( .’(.. Palge25 GA&AIM&9821.3.1~ ProposedRevisionof I/C Stds (E/97) ‘. track and record transactions and events as they occur, and maintain .and report financial and other data related to operations and/or compliance objectives. The quality ,of the information captured, maintained, and reported -by the systems will affect management’s ability to control the agency and meet the agency’s objectives; The quality of information is measured by such factors as whether the information content is appropriate, timely, current, accurate, and accessible., These quality factors are affected by internal control and must be inherent in the information to help ensure that informed decisions are made /; throughout the agency. 2. Communications Information systems inherently imply communications. Information not only must be captured, but it must be provided to appropriate personnel promptly so that they can perform their operating, fin&n&l repo&ing, and compliance responsibilities. Information must be communicated both mtetially and externally to other, appropriate groups. A. Interrid Commun@ations :, Communications within the agency is extremely’ in-i~ortant for good inter&l control: To ensure that effective internal communications can ‘occur,’the fouov$ng kinds of , control should be in place. .* I ,’ ,‘: l All personnel need a clear messagefrom top management that internal control responsibilities are important and must be taken, seriously. l Specific duties must be made clear to each individual, and each person needs to understand the relevant aspects of internal’control ‘and how its role fits into it. Emfiloyees should,aiso know hoiv his or her, work relates to the .work of others. This ,will heib in recognizing problems, determining c&s&, / -and~taking corrective action. ,<., : .- ,’ : ” i ‘: l Employees’should know th&t when the unexpected:.‘_/ occurs m performing their duties; attention must’he given,not only to the event, but .to the~cause as well;’ s;O,tiiit ahy ijotential control v&&nesses ‘can be iden&ed: and fixed. For example,’ changes;in mternal operating policies ‘may need’to be reviewed ‘and approved*by apljro&iate levels of maIrtagement”~thm the organization., When evidence of approvals are not available, corrective’~~tion’shb;uld take place prior to implementation. ,‘, /\ .. .,) ., ‘.: : l All: personnel should knovv what behavior is’ acce$ble ,and unacceptable. An&xample, of,unacceptable~behavior can occur -when a’manager, ,under -: ,. pressure’ to meet deadlines and budgets, u&i&-+& sends the ,. :.wrong.,‘:’ ‘,,’~: ,,:; ,, ‘,’ : ‘,.,I .,,, <.,.I ,, ‘, Page26 GAO/ADD98-21.3.1 ProposedRevision of I/C Stds (12/S??) -- ,- ._ messageby telling subordinates ‘I...to meet the deadline-and budget anyway you can...” .,._ l Personnel should have a means of communicating information upstream within the agency. There must. be open channels of communication and a clear-cut willingness to listen on the part of management, especially since potential problems can be minimized or even averted by listing to staff concerns. l In some instances, informal or separate lines of communications are needed to serve as a “fail-safe” control mechanism for normal communic&ons methods. l Person&e1need to know there will -be no reprisals for reporting information. t Agency management must keep internal oversight groups, such as senior management councils, updated on .performance, developments, risks, majiir initiatives, and any other significant or relevant events. ” B. External Communications The agency must communicate with many external groups that can have ,a very:’ serious impact on programs, projects, operations, &-rd other activitieti4ncluding budgeting and financing. To help ensure that effective external communications exist, the following types of control should be established. , i ~ommunications.channels must be established and kept open to customers and,,others that’ the agency serves’as well as with contractors/suppliers: These,groups can provide ~signit?cantinput on quality and design of agency outputs.. -, .’ ” : .: / L .I, ‘, .‘....’ .. l Anyone. dealing with t&agency must be made to understand that- improper actions, such as improper billings or kickbacks and other improper pkym6nt.s a not be t&rated. , :, .: ‘. .._ ,’ , ..’ x .‘. .’1.: l Communication, from external parties (other. federal :agencies,‘;stateand local governments, contractors/suppliers, and other related third parties) should be encouraged as !it can provide information on the functioning ‘of mterna& :I. control. :.Co.mpla&s -or jother inquiries (for, example, Uiose~~cohc~rning ~ services provided such as shipments, receipts, billings,. or ,&her activities) .’ should. be ,welcomed as they. can pointout ,contro$ problems:’I They shoriid be f&&wed ,.by personnel. independent of the -od@& ~~~~~~$&ck:~, .,A>!:' I ;, i, ':. :, ,< 1, .. . : ;. _' ,,I .._L ',.,";..,,,. z:'.;.;.; .,'I'.., :' I .;<- .!-;:$~~:-. z,-;,; ;,z,,,&J it;-,. u : .:, L : $., i ,, :I.:, 1.1 ,, ;i: \&+.p:.* .&,,,#. ,, ::/ .-;, ,-.j3,".'.--$s,..~; .$,:, -v,..+.. . < ,'.'l s+ $:.; ,,~ ,,'<,G..I:,!a.&% -$1C'+A _.r:S^;~~.,V~~I,. i I // .; .; ,. i .,-: i ,-<:<" : .,_,, ,., ~.$.W.cI _, . I,( ?. ;'.".,'t.! ,,: ,.. .. o-k,,.! L.2 i*,L..~C,:,I.^... ~‘ "~,~.".',‘~ ,.I : ', :I ,, ,, :,, ',:i ~ ,,.,,. ;:.-I ,;; * ,,, . . ": ,%.,.'i', i'- lhii.,<.. i 1 ; i < >' ..,Y ,?( 7 _, 't,,. .,.,! ,,_ '- .L,,.:,,. ., ,: .-. : ;*,.,,,.., , '. ) i '. .,.: : (,: I. /( _I. .,,,, ,, .. 'so! _. jj I:: >.‘.-qc ,.:: .,: .I - 5. ,' ,Page 27 GAOMMD-9S-21.3.1 Proposed Rhsion of’& Stds (W97j : ,.. .. ‘, ,, “, ,. ‘1 . .. ,;. , . - l Management must make certain that the advice and recommkndations of Inspectors General and external auditors are fully considered. ; .‘. /. 8 .- - l Communications to the Congress, state and local governments, contractors/suppliers, the public, the media, and other external parties should provide information relevant to their needs so that they can understand the circumstances and risks facing the agency, and thus better understand the agency. 3. iMeans of Conmkticating _, Communication may take many forms including policy and procedures manuals, management directives, memoranda, bulletin board notices, videotaped messages, e-mail (as well as other electronic means of conveyance), speeches, etc. However, one of the most powerful forms of communication is the action management takes in dealing with agency personnel throughout the organization and in the support it demonstrates to them. ,’ ,. Monitoring : Inteeal con@01 must be monitored. Monitoring is a process that ,. yse+,ses the quality of performance over time. ,:, ,( ,’ ; ~:‘j,‘! ., Since conditions change over time, management needs,to determine, if the internal control continues to be relevant and continues to address new or changed risks. This is done by,,ongoing monitoring activities, separate evaluations, or ~a&mbi&jtion of both. Ongoing monitoring occurs during normal operations; ,It includes regular management and supervisory activities as well as other certain actions personnel take in performing their duties. The scope and the frequency of separate evaluations depends mainly on management’sassessment of risks and the effectiveness of the ongoing monitoring procedures. Internal control deficiencies should be reported up the, chain of command, with serious matters reported to top-level agency management and externally in accordance with F’MF’IArequirements. .:- ~ “, .. # .,<’1.. Ongoing dfonitqring Activities’, ‘... ; ‘, I.. ‘, ? .,a, ,.. , -. ’ ~ ,,> ;‘ “! Internal control should be ;designedto -monitor, itself. The greater the degree and the more effective, the .:ongoingmonitoring is,.:the less need forseparate -evaluations. Ongoing monitoring activities are .performed continually .and ‘are,ingrained in the agency’s operations. Therefore, they-are usually more effective than separate;. evaluations. Activities which. serve to monitor internal control in the brdinary course of operations ‘are many and may vary from one agency’to another. IIowever, they _ -, ’ usually include regular management and supervisory activities, comparisons, .’ ‘, ., ., ,,.,,^ ,, ,:,“‘/‘*V , :‘.- ,..‘,. I ‘I Page28 GAO/A&D-9S-21.3.1 ProposedRevisionof I/C Stds(12/g?) :I 4 L I reconciliations, and other routine activities. Examples of ongoing monitoring activities which agencies should incorporate into their internal control follow. _. l .In the process of carrying, out regular management functions, management ~ should obtain information as to whether internal control is working properly. Operating reports should be integrated or reconciled with financial reporting I system data and used to manage operations on an ongoing basis. Significant :I inaccuracies or exceptions should alert management to any internal control problems. 1! l Communications from external parties should corroborate internally i generated data. If not, it could indicate problems with internal control. For example, customers paying their invoices help to corroborate ,:bil.lingdata, while customer complaints indicate that ‘deficiencies may exist. Similar situations may exist with other external groups. _, : * Appropriate ~orgariizationalstructure and supervision should: proGde oversight of internal control functions.- For example, automated-,edits and checks as well as clerical ‘activities help control accuracy and completeness /: -,of transaction processing.. Separation of duties and responsibilities help to deter &aud. : .’ . : l Data recorded by information systems should be compared with physical ,. assets and any deficiencies examined. ,, ‘i’ .’ ‘.., ’ ’ l ‘. Inspectors General and external auditors regularly provide recommendations 0n”:improvements‘in the internal-control structure. i“ .1.&Ianagementshould. .take appropriate actions. ’’ : ; . I 3 l ‘lhining seminars, planning sessions, and other meetings should provide i management with feedback on whether ,mternaJcontrol is- : effective7 ! ., I/ ’ ,’ ,II ,, .i, ( /I l iEmployeesreg&rly$h&ld ‘be asked_I,.., to-state $phci;ls;\ whether ,&ey ‘:understandand comply’ with the agency’s code of conduct ‘or similar agency pronouncements of expected employee conduct. “’’ : ” ‘_ 2. Sepyatq l$valq,atiorg+ ., ,( ; I :. :;.. .~i ‘:... ,j ‘. ” : : .” ,, : (, : ., ‘3 1 ’ .i.. .; : ‘. _. i. Whi$ ,monito@& by: ongoing &&it&s- ,pr&&s u-r&&ant feedbackJon.the; internal control; separate evaluations of controlcan,be usef@ by’focusing directly :on.the ‘. ” ii controls effectiveness’.at.,a’spec&c,..time.~Separate evaluations of internal. control may ‘. vary iri’@$q’ ,~~~~~~~~~n~~~~,:l~~~.~~~~~ncyi:~~~~~~~p~, ofsuch, e$luat@r$$ecessary .. ) for ~ma&gement::@I,B~~~~~~~P~~~~~~:~~~~~~~~~~o~~~~n!: effecqiveness:of$he ,interr&l i: : ‘,.~., c&-&i is a m&,& &judgment *depe~@$ yvpy ;.e+ ~significq~eiec+i& :$&-&:lic-~~~~.~‘I,: J;fi!‘, ... :. I, ,~, ; +& &j .I_.:,i;:‘. ‘,i 1, :: : : :. ,: ; ‘IGAOMMD-6821.3.1 ProposedRevisionof I/C Stds(l&7)‘. ’ controlled and the importance of control in reducing those risks.? Evaluation of all control is usually needed less often than for specific parts of the structure. However control evaluation may be prompted by such things as changes in major mar&gem& plans or strategies, major expansion or downsizing. of the agency, or significant changes in operations or processing of financial data. Separate evaluations often take the form of’self-assessments. In such cases individuals responsible for a @rticular.unit or function should determine the effectiveness of control for their own activities. Inspectors General may perform the evaluation as a part of their regular duties. External auditors may also be used, or a combination of methods may be employed., .. Evaluating the internal control:is a process. Specific approaches or techniques may vary by agency, but discipline must be brought to the process and there are certain basics inherent &i’it The .people performing the evauation must understand each of the agency’sactivities and each of the components of the internal control being addressed. Evaluators must determine how the controJ ~@ually works and compare . that to the Way it’ w& intended to work. T&y must be, alert ,to procedures that have become momed over time o.r may $0 longer be performed:. The evaluator must andjze i&i-id control, test them, snd assessthe result& of tests performed against the backdrop of-esmblished criteria. The u&mate goal is to determine-whether the control provides reasonable assurance with respect to the stated objectives. .,, :“c There are’‘many types of evaluation methodologies,and tools available. Some of these include checklists, questionnaires, flowcharting methods, quantitative techniques and lists of control objectives, and direct test@g of contrcl effectiveness. The evaluator should use those most a@propriateto the circum&nces encountered. and the. purposes of the evaluation. ‘Benchmarking against other agencies, nongovernmental entities, or trade or association standards may also be used. Management consultants and auditors may.’also be 3 helpful. . ; - Internal control should be”documented. The evaluator’ may find, however, that some informal and undocumented mternal contra! ‘activities have been-developedand implemented; AI!liis control~~may be,tested by the. evahrator a,r$ ., may prove to :b.e ,. _,..,: %, <, : .> .;: ,,, j .> /. _; I>,,.. ,J> . .:. ,../ _- ?/TheFederal Managers’ Financial Integrity Act of 1982(31.6S.C. 3612($) s&es &at heads of executive agencies are to make an annual evaluation of their internal control, using guidelines established.by OMB:,;.Those’guidelines, .OMB C&&r’ A-123, Revised; “Management Accountability and Control” states that “Agency managers shoti.id ’ ~, continually monitor and’improve the effectiveness’of m&agement control tisociated ., ‘, wit% jtheir programs.. This continual. monitoring;-and other-periodic &&at&s, should”’ provide, the..ba@.‘for the-agency head’s ziimu~ ~lissessment’ofand report on:’ ., ’ ,,. mmagement,,contrbl;,., requeea by tie Irite-@w’A&l” .,.‘:.;, :>. ,T? ,‘i ’ :. ,- ‘> “’ ‘C.“. page30,, ,, ‘,: ‘.;,’ ;,, ‘. \ GAO/@ID-Q&21.3.1 ;’ _. ,. Proposed Revision of I/C Stds (E/97) ” effective. Nevertheless, an appropriate level of documentation usually makes the evaluation more efficient and helps employees understand how the structure works and their part in it. Therefore, the evaluator may wish to extend the documentation during the evaluation process and recommend that management document control in a formal manner. Appropriate documentation may be needed if assertions are to be made to additional parties about control or the evaluation. 3. Internal Reporting of Deficiencies Deficiencies in the agency’s internal control can show up via the ongoing monitoring activities, as a result of a separate evaluation or via external parties. A “deficiency” is a condition within the internal control worthy of attention. A deficiency may represent a perceived, potential, or real problem, or an opportunity to strengthen the agency’s internal control. Obviously, when deficiencies are found, they need to be reported. Exactly which problems warrant reporting is highly subjective, but some guidelines can be drawn. All internal control deficiencies that can affect the agency’s attainment of its objectives should be reported up the chain of command to those who can take necessary action. In considering what needs to be communicated, it is necessary to look at the implications of the findings. What seems to be a simple problem with an apparently simple solution might have more far-reaching control implications. This underscores the need for reporting deficiencies or other problems up the chain of command. It is essential not only that the deficiency be reported, but that potentially faulty control be reevaluated and fixed. Providing information to the correct person up the chain of command is critical to the effectiveness of the internal control. It is essential that deficiencies be reported to an official who is in a position to ensure that appropriate remedial actions are implemented. A general rule is that a manager should receive control information needed to affect action or behavior of people under his or her responsibility or to achieve the activity’s objectives. However, some critical weaknesses have implications that transcend organizational divisions and these must be resolved at an agencywide level. Regardless of their organizational placement within an agency, the responsible official would need supporting information on the nature of matters that could have significant financial consequencesor strategic implications, or that could affect the agency’s reputation. The head of the agency should be informed of any serious ! . deficiencies, errors, problems, or infractions of policies and procedures. Senior I managers should be apprised of control deficiencies affecting their units, and lower- / level managers should be informed of control deficiencies in their units in increasing levels of detail as one moves down the organizational structureT., In .addi@n, oversight I. ,‘. groups, such as a senior ,managementcouncil, may:recomm.encllto theagency head,. ” -1 ‘, ,,which deficiencies are deemed to be material to. .the,‘agencyas .a.‘%hoIe,.gor* : ,.:. (’ ‘: ::. .,. : :‘., ‘. ‘, ‘1 $iich :$ .‘..:::: :‘y : .,‘, ::, ,:“‘,-r,,,‘-‘-;‘:i;;.-‘;:;:,;,::‘::~~.~:,;,~~~~,~ ;:;;,;‘.,;“;._.:-: , _] j’ I .‘,,’ .’ _. ., ‘. .:, / ’page31 : ‘;’ ‘, GAWAMD-98-21.3.1Proposed Revision of I/C Stds (X2/97) ? conditions are reportable, and therefore should be included in the annual Federal Managers’ F’inancialIntegrity Act report to the President.8 . .- - I 1 I I j j I .ij I _, “. .1 .’ “,. \ i \ / ,’ ? / I .’ i I I ,’ ” ,’ ,, , ,., . ~’ ,:, ,-” : , I I ^ ‘,.’ ” “ .._ i i’: _;.,_I ,: ” z; ;. .” .., ! I, --, / ‘, ., i ‘,.Y I’ ;~ , ,..: ,. .’ ,:. .‘. : .,: :/, .’ ..’ .,. .’ j,. ’ :, 8see foo&.,ote- 5, i&@&g cse&i ~m&em&co~c~s a discussed &., OMB’ &.&& ’ A-123. ‘In addition, see the standard for reporting to external parties. page32, ., ‘, ~AOMMD-9g21.3.1 ProposedRevision of I/C Stds (E/97) \.. - EVALUATION AND REPORTING STANDARDS The second.group of internal control standards consists of three ,&ndards which address the evaluation of the effectiveness’of the agency internal control, reporting on internal ,control to parties ,external to the agency, and responding to audit findings and recommendations. These standards are discussed below. -. Effectivehess of Internal Control For,internal control t* be judged effective, managemknt must have rktionible assurance :that ” L ” .. _’ 0.- >: .,. :1 l the agency’s opefational hbjectives are being met, ,.i l the,‘publish&d financial Statements and report& piepar&d f6r in&rrial and external use (such as budget execution reports) ye reliably . ,p&&+; and. : ,. 1 I. ‘. ,’ ’ , , ’ :. ‘0 icompliatike with applicable lhws and regulations, is .b&ig achieved. : .’ Internal control ‘is a process, but the effectiveness of the’control is the state -or condition of the process at ‘a specific time. Since internal’ control is~designed,to help an entity achieve its objectives, the measurement of effectiveness shocild be closely tied to how well interrial~~contr!olis judged- to be helping .managementmeet those, objectives. ’ A subset of objectives for internal controL relates to safeguarding of assets. Therefore,, a measurement’ of the effectiveness of an agency’sinternal control w&h regard to safe@&f&ng of‘~s&$~o~dibe’ &s$. f~~ow~: ; .’ ._ .,; .: ,, ., ., :, ,. Internal contra! can be ,judged:effective: in safeguarding assets if management has reasonable assurance that unauthorized ,acquisition; use, or, disposition of ’ i the agency’sassets isbeing prevented or detectedpromptly: J. -. ’ “:. ..; .. ,j’ .’ .’ ‘,..( .,_.‘. I, : .\”.,;,. ,(/ ,a : ,I.. ( Determining whether an agency’s internal control is effective should be b&ed upon”an assessmentof whether the five component standards have been met.g The component &.,&ds .ee fib;ge jj.,& :+lat&eee+Jy ‘to “the f&,&fig and dpei,&dfi of ,&.,t&,d j ’ con&ol. :::They &j&& the. &&&y&&g&;; .ri&: &&&&it, .!con~~l &ti&ies;: : :,( i~~~;itidn .arid’,~c~~m~~a~~n,, and monito~g of’,co~~~l;; ‘The,elective func~cinirrg ‘j of these component standards provides management with reasonable assurance regarding the achievement of objectives in one or more of the stated categories or subsets of those categories. Therefore, these component standards are.the criteria against virhich internal control effectiveness ‘is measured. ‘I ‘- - . .’ All five component standards must be met for ,internal control to be effective. This does not mean, however, that each standard should be met in an identical manner, or even at the same level, in different agencies. All the standards have to be considered in the context of the particular agency and its own set of conditions and circumstances. Some .tradeToffs may exist between standards. ‘A specific internal control can serve a variety of purposes. A control des&ed..to meet the requirements of one standard might also serve the purposes of a control that might ordinarily be present to meet the requirements of a different standard. In addition, a control can differ in the degree to which it addressesa particular risk so that a complementary control, .with hmited effect, together can satisfactorily meet the requirement. ‘;.:1,.~ _,., i . ~,:E. -‘,I : : .‘I;, The significance of internal control weaknesses must be evaluated -in determining their impact on the five component standards and the control objectives. OMB’has n materWity ,for reporting ,matters under. the..,FMFIAin Circulars F’inancial‘ManagementSystems;” July 23; 1993. OMB defines a aLcontrol as a material weakness when the agency<head _ determines the &&kness to. be significant enough to- be ,rep:orted.in the required external I?h@‘IA,reno?..,.Additional guidance:for evaluating financiaLreporting. ’ deficien&es,is provided by. Generally Accepted Auditing ,Standards (GUS) issued by the Amerikn &&itx$e of Cer@ed Public Accountants. GAAS defines a material _ weakness as a reportable condition’! in which the design orioperation of internal control does not reduce to a r4e&$ively. low;r$k. that lossesj noncompliance, or misstatements in amounts that would be material in relationship to the financial statements being audited ,may.o.ccur and.not be detected w@hin a timely period by employees.m the normal course of performing their assigned functions. The existence of a material weakness is prima facia evidence that one or more inte-nal control objectives are not being met. F’urther, reportable conditions, in combination, may result in a:mater@l vveafcness. > ..,. : 1, ,. _ >: ,: .i,: ::. .i ,:,, _i _., _ 3 1 : .,.I ,_,,I ,_ .,“’ ‘I ‘. Inspectors :Ge.neral-repor&~~&ong*th other reports ,:on agency~,,operationsand f$~ar+al’ report@rg,such as an audit report onthe enti$s, f@tanci@; email@example.com,~should:be ),:‘:,:. considered ,&I.evaluaI$ng..yhether the objectives of mterr@ con@o$,are .bemg-met. 4 :i .’ .-. * : : l”G~‘,defines a reportable con&t&n, as a -matter which’.could.adversely,affect the ,, entity’s ability torecord,:,process, summarize, and .report financial data consistent,.+I 1 the assertions@ management in the f@anc@ statements. Such def@+-@es .may ,.I < adversely affect one or more of the five component standards~,of~mter@$;control.. ., Page34 ; -5”’, ..I :: _‘ ._ ~AO/~9S-21.3.1 Proposed Revision of I/C Stds (12/?7) internal control deficiencies identified by managers and employees should be reported to higher level managers in ,the organization. , .- - Reporting-to External Parties, Management’shall provide an annual public report presenting its assertion about the effectiveness of its internal’ control. The Federal Managers’ Financial Integrity Act of 1982requires annual reporting on agency internal control. The Act directs the head of each-executive agency to provide an annual statement as to whether the agency’sinternal control complies with the standards prescribed by the Comptroller General. Essentially, this requires the report to make a declaration as to the effectiveness of the internal control. If the internal control does do not comply with such requirements, the report is to identify material weaknesses and the plans and schedule for correcting those weaknesses. OMB Circular A-123 “Management Accountability and Control,” provides agencies guidance on how to satisfy the FMFLA reporting requirement. Prompt Resolution of Audit Findings Audit findings shall be promptly resolved. Managers are to (1) promptly evaluate findings and recommendations reported by auditors, (2) determine proper actions in response to audit findings and :’ recommendations, and (3) complete, within established time frames, all actions that correct or otherwise resolve the matters brought to management’s attention.” .’ ., This standard requires managers to take prompt, responsive action on all tidings and recommendations made by internal or external auditors. Responsive action is action that corrects identified deficiencies or demonstrates that corrective action would not be necessary. When audit findings identify opportunities for improvement rather than cite deficiencies, responsive action is action that produces improvements. The audit resolution process begins when the results of an audit are reported to management, and is completed only after action has been taken that (1) corrects identified deficiencies, (2) produces improvements, or (3) demonstrates the audit, findings and recommendations are either invalid or do not Warrant management-;: action, in the case where management disagreeswith the audit recommendations. ,. “This standard is required by the Federal Managers’ Financial Integrity Act of 1932,‘. which states that “The standards prescribed by the ,Comptroller IGeneral under this -1; ‘.’ paragraph shall~include standards to ensure the prom~t’resolution of aR audit :,. findings.” .‘, Page,35 ~‘. :’ 5:. :, :._. _’ ” ‘.GAo/AIMD+B-21.3.1 Proposed Revision of I/C Stds (d/197) B u d . Management (as well as auditors) should follow up on audit findirigs and recommendations to ascertain that resolution* has been achieved. Auditors’ findings and recomqendations should be monitored through the resolutioq cd follow-up processes. ‘Top management should be kept informed through periodic reports so it can ensure the quality and timeliness of individual resolution decisions. _.I : , . .a’ .,.,.‘. ,,,’ , ,. ” _, ” a..,. .” ,;, ..“> -.--_, ,,! ,. : : .,:. ‘.’ ,” ;_ _, ,: .: ,b’,.’ ‘, :: ,, GAO/ADD98-21.3.1 Proposed Revision of I/C Stds (E/97) - ~ INDIVIDUAL. ROLES AND RESPONSIBILITIES .__ 1 I d 1 A Everyone in an agency has some responsibility for internal con&l. Management, however, is responsible for internal control with the ultimate responsibility at the top /j with the agency head. Many others within the organization also carry some 1 responsibility for internal control within Iheir particular functional or activity areas. I Many groups external to the’agency contribute to. the effectiveness of the internal 1 control, but they are not usually considered to be a direct part of the structure. 1 I’ 1. Management 9 Agency management is directly responsible for all activities of the entity including internal control. Of course, management at different levels.has diffkrent internal 7 control responsibilities. The head of the’ agency has ultimate responsibility and his’ or her influence dn internal” control cannot be overstated.-j .The senior managers at the 1. activity level:and in the functional. areas should hive responsibility for internal control / 1 related. to their units’ objectives and they should provide direction and guidance for 1 1 effective internaL.control.;policies.and procedures within, their areas. Likewise,, down ! the chain of command,. lower-level managers a&supervisors should take, responsibility for more specific intern&l control activities and ,procedures. ‘. J I ! Agency Chief Fimincial Officers (CFO) and other financiti id accounting personnel I are of particu@r significance in monitoring internal control since their &%ivities cut across all of the entity. They are often involved in entitywide planning and budgeting and are in a unique position for detecting fraud. In addition, as a member of top management, the CFO helps set the tone of the organization with regard. to, ethical conduct and can highlight the importance that should be placed .on reliable financial repo~ga,nd~ter&au&~g.. : : I,_ ., ., ., -.: ._ _; ‘,,’ ,.‘, .: I .., . ,’ .i . .; _‘,I ; Regarding-internal control, one of the.rIiost important units is an audit committee. While duties and,responsibilities of aimaudit committee.may vary from entity to entity, cem characteristics and.fu.nctions’are common to a;ll, The’committee is. iri the i’ position to -qixestiontop ,managementon internal control decisions.and to ensure that corrective actions are taken. Also, the audit committee is in the best position t6 prevent or question top management fiorn overriding internal control. In some cases, the audit committee includes members from outside the entity, ‘thus further I, strengthening the monitoring activities-over control by the committee. While federal agencies’usually do not have audit committees,, .I some . agencies-do. : ;; ,I,,, have ..^.a,,-..,._,. ,.,‘_., ‘,“i,’ &en@ ^, .2.:...:.. : ,. _, .‘. ,.,. : ... ..’ I ..-; :..._ .._ ,.. .L .- ; ,. ) _’‘“.,, .i ‘,‘.I;‘.1,,,) .- ,“. ,, ,$,. ‘. .A. ::.:+:‘1 . ,(,(‘-.’.:.<; ..,.:, ,/y’.‘., ,:;:;- “, ., ‘I,. * .,:,,1.1, .; ,.-: ., :. j~“. .: .. Page37 I, ’ .q ‘, ,. Ii GAO/AI&@-98-21.3.1ProposedRevisionof I/C Stds (E/97) management council” which can, in many respects, fulfiI1 the role -of a -board for some agencies. In addition, it may be possible in the future for some agencies to have groups that fuIfill the internal control functions and responsibilities .- -of an audit committee. . Employees AI1 agency employees play some role in developing, maintaining, and assuringgood internal control. In addition, all employees are responsible,for communicating information aboutproblems such as noncompliance with .rules or violations of policy, etc., to higher levels in the entity. To, ensure that alI employees are involved in internal control, the roles and responsibilities of each person should be well defined and effectively communicated by management. Inspectors General , _L Inspectors General directly assessinternal :control and make recommendations. to management for, improvements.: All activities of the. agency are potentially within the scope -of their review, including operations; financial reporting, and compliance aspects .of control. Inspectors General should’be independent and have authority to report. directly to the agency-head to order appropriate action. Inspectors General. communicate-audit findings, analytical information, and recommendations for use in helping to achieve-the. agency!s objectives.’ They also alert managementto deficiences in internal control thatcometotheir attentior~during the&audits::: ;” - It is important to note that the: Inspector, General does not have the primary responsibility to establish or maintain internal control. That alw.aysbelongs to the head of ,the ,agency. I. , Externk:Auditors ,’ ,,, :,._.” ._ :>.’ ;, ( : j ;_ ,: .hr;: I ,“ : I. ‘) ,.>,‘, Whether the agency is audited-by government auditors or a private CPA iirm, external : auditors can provide a unique, independent, and objective view on internal control. External auditors usually have:to ~gain~sufficientknotiledge of ~anagency’s-internal ,:, : control in order. to:~plantheir audit The amount ..of attentiongiven varies .from audit. : to audit. Nevertheless, ,auditors often are:in a.position to provide management with useful information :about 4nternaI .control, especially when Ldeficienciesare- found. : ,..’ : .c.;..’ ,. ,:; ‘, “_. ,‘,. .<‘lx’, 1., :,;i .’ /; -. .,: . ; :’ ::.._’‘. I ; :.’ ‘,: ,- .’ : :.,. I, ‘. ., ,. ‘. .’ j :-i .,. / ; ‘_ :’ : i. .: ,.,_ .’ ,’:I: ,’ : ,:, ..,..! ,; ,,’ .- - ,,, :, s’, :.-‘.,:’ ,, “. ,.’.>‘. ;,: ..:-.: -. y.:., ’ -,A,,>‘“~ ..,/./ ,I ‘, :““‘::-; :. “.L.,..-i ; (: ,., I; .:* ‘:;:.’ .A.,:y: .: ii -:,. ,‘,*L;. ‘/‘$ ;,1. .T .<-,* ‘.;;:. ,T.. ‘,. :;:: i..,(“- ., ,, ‘“See‘footnote 5,~regarding’ Senior. Management Councils as discussed in C&k -“. Circular A-123. ‘pa& &,’ .A: i .; ‘<.., : ., ” : GAO/AIb@9821.3.1 ProposedRevision of I/C Stds (Z/97): i ; I The Congress - I 4 I -II The mission and operations of a federal agency are governed by the and legislative oversight actions of the Congress. The agency’s internal control is-no exception. I Laws enacted by the Congress require the development and implementation of internal control to help effectively and efficiently achieve the objectives of the program or other requirements of the legislation. A number of laws specifically address internal , I control including the Budget and t Corrupt Practices Ed--“‘*‘-, *Lf_“(i Act -6rz i-IJ*Sj7*w.w*,&.d ,~~~~,“,~,u”l.“‘li’.’ and the FDIC Im,~o~emer&A&of,J activities, may also enact additional legislation to improve agency operations that result in modified agency ‘policies and procedures (internal control) needed to implement ‘the requirements. 1i Other Oversight Bodies Other oversight bodies include the central agencies (OMB Treasury GSA and OPM) and GAO. The central agenciesprovide guidance to agencies. For’exkple, GSA sets the requirements for certain areas including, federal property management and employees’ travel, and the OPM has oversight over federal personnel matters. - ji Treasury’s responsibilities include providing financial policy tid procedural guidance I to agencies concerning financial reporting and other fiscal matters. ‘OMB has has broad responsib@ies for central direction for budget formulation and-oversight of I agency operations, including information ‘security. GAO support&he Congress‘m:its role primarily~through audits of.agency operations and the spending of federal ‘funds.’ : ;’ j _ . ,’ “:. >< :,: ‘, : : I ,’ : Other External p&.jes ‘, , j .; “T”-’ :’ ,: I, :. : External parties can supply insight to agency managementthat an internal control problem exists; ~Thisniay‘come via complaints from’ those the agency serves including the public or specific customers, from vendors and suppliers with which the’agency ’ _. deals, or direct reporting of improprieties by employees. In addition, groups such as financial analysts, taxpayer groups, the news media, etc., are allays interested’in how’ 1 well an agency is doing or not doing, its plans and objectives, and actions taken in response to political and..economic activities. Their investigative andmonitoring activities c&’ protide ma&g&ent fia :inf&-m&& ‘on l-& ‘&&em j$$-$ive the ‘*’ ’ ,I agency’sperformance; the- ‘risks it faces; and the ‘value:of’ its strategies and ,actions. This information can r be useful m enhancing internal: control~to achieve objectives: / .’ ;. .. ‘. I i ,: .’ ;I ,’ _ ..’ ,1 LZ : I, ‘, ,. : : ., ., : ; .. _ ‘; ‘,/‘ _ .. i ,; ,( ‘,T.,“. i ;,.. ., : .- ; ;. .,“. -;.,>:,, 1/:._\. .... ,;. :, .A-:, :. . : : 13$ee ‘appendix m .f-+ a m&e cr&en@e &&g, ,of’laws’requirem~~~; &i’&&i& i “’ : I I affecting internal control. / j ._ ,Page3?, ,.,. 1‘: GAo//AIMQ-98-21.3.1 Proposed Revision of I/C Stds (E/97) ‘, .’ “,;/ ‘. ., ,’ I .! - INTERN&, CONTROL LIMITATIONS .-- One of the fundamental concepts underlying the definition of internal control is that, no matter how well designed and operated, an agency’sinternal control structure can give only reasonable assurance, ‘not absolute assurance,that objectives of the agency will be‘achieved. This is true because of limitations that are inherent in all internal control structures. These limitations include poor judgment and human mistakes, management’s ability to override control, collusion by two or more persons to circumvent control, and the need to consider costs and benefits relative to internal control. In addition, no matter how well internal control operates, some events ,or conditions that can affect the achievement of objectives will always remain outside the control of management. The effectiveness of internal control .may be’limited by the realities of’human ! judgments and’mistakes. Decisions requiring judgment must often be made in a ‘limited time ,v@o,ut benefit of .full information,, and under the, pressuresof conducting agency business.,:,SThese judgmental~decisionsare :likely.to affect :$heachievement, of objectives with. or vvithout, good internal control. In, Addison, internal control can,be, rendered ineffective by ordinary personnel mistakes. This can happen, for example, by personnel misunderstanding instructions or making errors due to carelessness, distraction, or fatigue. Another example might be mistakes made by aatemporary employee filling in for a regular employee on vacation or sick leave. These types of errors ,may occur .because.management..;hasnot provided proper supervision, training, or, guidance,, Internal .,control can ,not provid,e absolute assurance of protecting the c agency from,,inefficient, inadequate, or inept ,managerial decisions. ‘: ,’ : : . ‘<’ i ,;: Mana&&erj~~&yi$le ,, 1 ;.,:. .%_.. 1 .; : ‘, _, Management,by ,virtue of its authority ‘,may be capable.of’ overrul&prescrib.ed I. policies,’ $roc$ures; or other &$rol’~or improper p&oses with the intent of : personai.gain or’ an ‘enhanced presen.tation of the .age$ncy’s ‘financial situation or. ,, compliance &.&Lw~ ., Override practices could include deliberate,falsifications or - misre&esentations to agency ofticials, central agencies,“la&yers,accountants, auditors, vendors, and others. It could also include issuing false documents; such as purchase orders ‘or receipts. Management override, however, should not be confused with management intervention, which is management’s departure from prescribed $olicies 1 or proceduresfor, legitimate’ purposes. Intervention may, be necessary‘to deal with(2. i.._(,-‘-I ” 1 i :.: .: . :.:. ‘Page4.1’; ,” ,‘,.,i;.s;-. ,. I.,. ,,,; ‘: :: (’ (.‘,, GAO/MiUb-g&21.3.1ProposedRevision of I/C Stds $2/6~‘~ .1 unusual or nonrecurring situations. Management actions to intervene in internal control should be documented and disclosed to appropriate personnel. .- - Collusion . Collusion can result in an internal control failure. Individuals acting collectively ,to perpetrate and conceal an action from detection may be able to alter financial data or other management information in a,manner that cannot-be identified by internal control. Costs Versus Benefits Each entity must consider the relative costs and benefits of establishing specific internal control. Jr-deciding whether a particular control should be established, the risk of failure and the potentiaLeffect on the entity should be considered along with the costs of establishing and maintaining the control. Usually, it is easier to estimate the cost of establishing the control as opposed to the more subjective,measurement of the benefits provided. Even so, measuring cost can be difficult, especially with regard to issues such as management’s commitment to ethical values or the competence of personnel. In addition, the complexity of cost-benefit determinations is compounded by the interrelationship of) control when .it is “built in” to the businessprocesses and when several internal control activities operate together to mitigate a particular risk. The challenge is ‘to find the right ,balance.. Excessive control is costly and r counterproductive. Too little control presents undue risks. However, management is responsible.for maintainmg effective internal control and the burden of proof rests with management in determinin g costs verses benefits of internal, control. _‘.,‘- -GAO/MMDBS-21.3.1ProposedRevision of I/C Stds (124 APPENDIX I - QUESTIONS FOR RESPONDENTS TO THE PROPOSED STANDARDS Suggestionsand comments on this exposure draft are welcome from the entire federal community, the accounting and auditing profession, and academic community as well as others interested in improving the development of federal internal control. Comments on any section of the document are encouraged. Specific questions and issues related to each section and standard are presented below. These questions are intended as an aid for respondents reviewing the draft. Reviewers are not required to comment on,the questions. Neither are they precluded from commenting on topics not specifically listed. Responseswill be most helpful if they include relevant information, rationale, and alternatives, rather than mere expressions of ‘preference. Introduction ,” ., ‘: 1. The most important and fundamental concepts underlying internal control are presented in this section.. These include the view- of internal control as a process, run by people, ‘aimed at achieving objectives in one or more overlapping categories, and providing reasonable assurance that. those objectives are being met. Are these~fundamental concepts complete or would you suggest others that should be discussed here? If so, please list them and explain your reasoning. - Control Environment .2. This standard discusses seven major factors that significantly affect providing a positive and supportive attitude toward the agency’s internal control. Are .these complete? If not, what additional factors should be added and why? Risk Assessment 3. This standard calls for the identication of internal and external risks which the agency may face and provides examples of several possible techniques for identifying those risks. Should any additional ones by discussed? Should any be removed and, if so, why? 4. The.standard describes that risk analysis includes estimating ‘risk significance, frequency and,likelihood of occurrence, as well as considerti>g actions to be - taken to manage the risk. Do you agree vvith this ~presentation?Are there ~.GAO/AIMD-9S-21.3.1 ProposedRevision of7I/C Stds (Z/97) , - other issues regarding risk identification, analysis, and management that should be discussed at the broad standard level? .- - Control Activities 5. This standard discusses 10-major types of control activities (control procedures, techniques, methods, mechanisms, etc.) and states that these are not meant to be a&inclusive. Are there additional ones that you believe should be included here? If so, what are they and why should they be included? . 6. Realizing that a standard is broad, high-level guidance, are the discussion and ’ requirements of this standard adequatewith regard to control over information systems? If not, what additional information or requirements should be included? ,,. Information and Communications 7. This standard discussesand explains control that should be in place for the agency to gather information and communicate it to those who need it, both within the agency and external to it. Should any additional specific control be ,included? If so, what control, and why? h Monitoring >. .’ 9 8. >Thestandard ,presents two forms .of monitoring-ongoing evaluations and .,:. ‘. separate,evaluations, and discussesthe control activities involved -in each. Do you agree with this presentation and are there any additional control activities that should be added to either type of monitoring? Effectiveness of Internal Control 9. The standard presents criteria for measuring the effectiveness of an agency’s internal control based upon whether, and to the degree that, the component standards have been met. Do you agree with these criteria? Are there other methods or criteria that should be used to measure internal control effectiveness? If so, please explain. Reporting to External Parties 10. Some specific requirements for reporting on internal control come from legislation and are reiterated by the requirements of this proposed standard. One requirement calls for the report to be signed by the head of the agency,.(as required by law). Should another high level official,%xrch as the agency’s chief ,.Page43 . ::_.‘I GAOMMD-98-21.3.1 Proposed Revision of I/C Stds .(12/97) financial officer, also sign the report? What would you-add to or delete from the proposed standard and why? Prompt ‘Resolution of Audit Findings 11. The requirement to include this standard comes from the Federal Managers’ Financial Integrity Act of 1982. It has been included almost completely as it appears in the current standards. Do you think it needs to be changed in any way? Individual Roles and Responsibilities 12. The exposure draft states that management is ultimately responsible for internal control. It discusses the role that management ha‘sto play and then discussesthe roles played in internal control by various other groups, ‘both internal and external to the agency. Do you know of any other groups that should be included in this discussion? If so, what exactly are their J responsibilities regarding internal control? -_, , Internal ContrOl Limitations; 13. This section discusses the inherent limitations of internal control and the fact that the internal control .structure can never provide absolute assurance that objectives wilI be achieved. The discussion specifically focuses on certain limiting factors, i.e., human judgment and mistakes, management override, collusion, andthe cost versus the -benefits of-~internalcontrol. Do you believe .any,additional inherent limitationsshould~ be presented? If so, what limitations and exactly how do they ‘affect ,the internal control structure? ‘. ‘, \ :-, : . .T ,,. ‘._ ; -.. i I ,.,Pageu’ ,/y ,j I: ., ‘: .:.,*. GAOMMD-98-21.3.1ProposedRevision of I/C Stds (E/97) APPENDIX II - C&OSSWALK FROM EXISTING ST&NDARDS TO PROPOSED STANDARDS ._ - EXISTING STANDARDSI PROPOSED REVISION. Introduction Purpose of Internal Control Standards This document contains the Comptroller See Introduction, page 5, fkst paragraph, General’s internal control, standards to be - first sentence+imilar wording. followed by executive agencies in establishing and maintaining internal’control as required by FMFIA. Objectives of Internal Control .’ l Obligations and costscomply with See Introduction, page 5, where Objectives :applicable la*; ” i lists three major categories of interTkal l AlLassets are.safeguarded against waste, control objectives: : c loss;,unauthorized use, and.:.. l operations:-Vrelating to efficient and .,1misappropriation. .’ ’ effe&ive We of resources, l Revenuessnd expenditures applicable to l financial reports - relating to * .agencyoperations are. recorded:and preparation of reliable financial accounted for properly sothat accounts statements, and and reliablefinancial and statistical l compliance - relating to the reports may be prepared and + agency’s compliance with laws and accountability of the assets may be regulations. maintained. A subset‘of these objectives is the safeguarding of assets. ‘ “’ ‘, :,’ j_ : ,’ ,, ‘i : .,~.!*, ,.,.* : .. -, ‘:-I” ./, ‘, .-.. ,. ” ,: 1’. ._ ‘. .) /<..,.. .! : : Re&irements of Management. .,: !, ,,.. ,... ,,: ., See Introduction, page 7, Evaluation and l Make an annual evaluationof their Reporting Requirements-similar wording. internal control using guidelines established by OMB. _/,-.;: , -, .,., .:.; .>: .; : .:,c .. .) _. ,“I;:: _; :.-_ ,__ 1-,;;:: i; iy’: :..., ;.,.. ,, .,-.(9 ..:,.7,. .’ ,:, .,;‘i:,~~:f‘,~,:,J,(: ,. _ ,’ ’ ;,;;,.;: ‘.’ !...i.:,,‘:-;“.’ ;.,-~ , 1’,,. - _,‘I,,. “_; _..., ! .,. ‘. *i ,“,‘,T;: .:.....“.;<,. _.‘.,. _;‘;- :-1 ,._‘Z”. ::~‘a:, : ._ , I, .-,( . h”.., .,, :;,: ,,, ‘... . ‘1 ‘%andards For Jnternal Controls In the Federal ~Government,”GAO, 1983,Title 2, Appendix ‘III, GAO Pohcv’and Procedures Manual for Guidance of Federal Agencies. ” ’ Page45 GAO/AIMD-9821.3.1ProposedRevisionof J/C Stds (E/97) See Monitoring Standard, page 30, footnote 7 states that continual monitoring and periodic evaluations should provide the basis for the annual assessment. l Provide annual reports to the President See Introduction, page 7, Evaluation and. and Congress that state whether agency Reporting Requirements-provide annual systems of internal control comply with reports to the President-similar wording. the objectives of internal control and with (Also, see footnote 3; page 11.) the standards. See Reporting to External Parties Standard, page 35. l Where systems do not comply, agency See Introduction, page 7, Evaluation and reports must identify the weaknesses Reporting Requirements-similar wording. involved and describe the plans for See Reporting to’ External parties Standard, correction. page 35. Definition of Internal Control . The plan ‘of organization and methods and See Introduction, page 5, Definition, which procedures adopted by management to says that internal control is, a process, ensure,that resource use is consistent with effected by an agency%ymanagementand laws, regulations, and .policies; thatresources other personnel, designed:to ;provide ws safeguarded,against waste, loss, and reasonableassurance that. the objectives of misuse; and that reliable data are obtained, the agency are being met in the.following maintained, and fairly disclosed in reports. .. categories:,,:effectiveness and efficiency of ‘. ‘. operations, reliability ‘of financial reporting, I and,compliance with laws and regulations. : The definition also~coversthe safeguarding of as&s. I : . : . . . . Other. Intro&cterg &@erial~ :;;,.:; .” “’ i ‘. I l The ultimate responsibihty for good See Introduction, page 6, Fundamental i internal control rests with management. Concepts, Internal Control is Effected By \ People-similarwording. ‘Alsojsee ‘I:. ,. . .A .I Individual Roles and Responsibilities, page i ,, .;.‘:, I: .__. ,., : 37, which.:says the .head..of the-agency:is ultimately responsible for, internal control. a.’ See.Introduct&, page 6, Fundamental .c l -Internal co&o! should not be looked - Concepts, Internal Control is a Process- ‘. upon as separate, specialized systems similar wording. ,. ” .; ‘:,I. I ~ ._ within an agency. Rather; they should be J -1 recognized as an-integral part of each system - that management uses to regulate. .- - i. and guide its operations. ..i I l The internal control standards define the See Internal Control Standards, page 9; 72 minimum level of quality acceptable for Introductory paragraph uses same wording. 7 internal control systems in operation and See Detailed Explanation of Standards, page constitute the ‘criteria against which 12; introductory paragraph uses same systems are to be evaluated. These wording. internal control standards apply to all operations, and administrative functions but are not~intended to limit or interfere with duly granted authority related to development of legislation, rulemaking, or ., ,I ,other discretionary. policy-making ,in an .-,. ? agency. ) ‘. ’ / ’ General Stiindards 1, .- ,..( Reasonable Asstirance. Internal control See Introduction,-page 5, Definition of I/ systems are to provide reasonable assurance internal control states that they are / that the objectives,of, &systems Will be designed to provide reasonable~sssurance I accomplished. that objectives are being met. See 1- ,.. :~ j .,:‘,‘,T ,_ I Jntroductionj page 6, Fur&mental >? i, ‘! ., -, .‘) ,, : ‘..‘.’ ‘.‘, i Concepts-one ‘of the ?r&.n concepts ‘is that I ,.‘.’ * ...’ r internal control sti?.tcturescan provide only s ‘reasonable assurance,‘not absolute _1 1 assurance that objectives are being met. .J .’ ,_. .“. ) ‘. See section on Internal Control Limitations 1 .::.., page 40, where introductory paragraph -. ,, ,I discusses the reasonable assurance concept. I ,.- Supportibe Attitude. ‘.,Managers’and See the Control Environment Standard, .-.einployeesare ,to maintairi and -demonstrate :’ pages.13-16~The’“entire_standard relates to a positive and supp&tive attitude toward Y management and .emljloyees establishing a ‘fit&al ‘&n&01’&. ;all times. : :, positive and supportive. attitude toward I .’ ., ,: ,y_; J’i:.,, 1 9. : internal control. The Standard discusses ? ,^‘,j r’ seven major factors significantly affecting : ./ the control environment. , ._ : ‘, ; ,. -, .:. i ,,-,‘. .,’.,,,,. ,:- -1’ .a, .“‘.1 .>:I ,,, ..:_,::‘.I,,,; ., $ ,>.(, ‘,r-.::y, ,::../: ,.‘, .,‘.’,’ .’ /, . .’ :;-. “ ‘.- :. ,:;.,‘\): ,.:,i..,;J’:.~~:;,r.::.. :;;:, ‘. .- I ‘:Page~47 ‘, ; , 4.: ‘.. ‘. ,: ‘, ‘: ‘I GAO/AIMD-98-21.3-lProposedRevisionof I/C Stds (X/97) Competent Personnel. Managers and See the Controi l?nvironment Standard, -” employees are to have personal and pages 13-14,Integrity and Ethical Values and professi0n.a.lintegrity and are to maintain .a Commitment to Competence. These are level of competence that allows them to two of the major factors significantly accomplish their assigned duties, as well as affecting the control environment. :I wnderstand the importance of developing and Management.has a primary role in 7 implementing good internal control.. demonstrating integrity and. ethical conduct. i * Management should be committed to 4 developing and maintaining a high level of -1 competence among all employees. See the Control Environment Standard, page 15, -9 i Human Resource Policies and Practices, which states that this factor. ties closely with the ones on commitment to competence.and assignment-of authority and responsibility. Also, see Monitoring / Standard, page 29, Ongoing Monitoring Activities. Asking employees regularly to ,: state explicitly whether they understand and !’ comply with the code of conduct is listed as :; / ‘. ,’ gn ongoing monitoring activity which ‘_ .,, ..v agencies.should incorporate into their ,. ” ,I ”.’ internal control structures; : .‘, * _!_ . Control Objeclivei : Internal Control See Introduction, pages &6, De&&ion and objectives are to .be ident$ed ordeveloped Objectives. This section discusses the for each agency,activity and are to b.e establishment of objectives and subsets of logical,. applicable, ,a+ .reasonably complete. objectives for the entire agency. Objectives -4 at these different levels should be linked to ” ._ . I ; : ., c lL,r--. “’ activities throughout the organization and ; *._ .‘ .’ should be internally consistent and ,i’,. :.. 4 ; .,: 2.;. ,. ._. __i’ complementary. ,-:, / :: See,ControI. ,Activities Standard, rpages19-24. contro:Z~-~echniauks Int,ernaJControl YiJGsstandard addresses.control. activities : “’ ._.techmques,are <to’beeffectiveand ‘efficient in I which,are the policies, procedures,. : accomplishing their internal ,control techniques, and, mechanisms that-:ensure 1 1I 1 objectives;. ,’ ‘?,,, that management’s directives are being .,‘. “,I carried out to meet the agency’s objectives. i -. ; It states that control activities must be 1 effective and efficient to provide’s high ‘. degree of assurance that internal control 2.., objectives are being achieved. . ,’ ,'p-age 48: : " : ',i : ,.. GAOMMD-9S-21.3.1 Proposed Revision of I/C Stds .(12/97) Specific Standards ,, ,- - / Documentation. Internal control systems See Control Activities Standard, page 22. and all transactions and other significant Documentation is listed as a type of control events are to be clearly documented, and the activity that should be common to all documentation is to be readily available for agencies. Standard calls for documentation examination. of internal control and all transactions and J significant events. See Control Activities Standard, page 23, Control Over Information Systems, General Control: A particular type )1 of general control is Application System j ,‘.. Development and Maintenance Control I i which includes documentation requirements. See Monitoring Standard, pages 30-31, t Separate Evaluations which states that an evaluator may find undocumented internal control. If these prove to be effective, they should be documented. See Control Activities Standard, page 21, Recording of,Transqction+ and Events. where Recording of Transactions and j?ransa&ons .and .other significant events are Events &listed as a type of control activity to be promptly recorded and properly that should. be common to all agencies. c@+@fied. : ,. : : ‘.. Similar wording .js used. ‘. _..z . ‘A’ SeeControl Activities, Standard, page’21, Execution of Transaction and ‘Events. where .,Executjon of:ITransactionsland Transactions and other significant events are Events is .l.isted as a type of control .activity to be authorized and executed only by that should be common to all agencies. persons acting within the scope of their Similar ,wording is used. -: :. authority. ,’ :..‘I See Control Activities Standard, page 21, Separation of Duties. Key duties and where Segregation of Duties is-listed as a responsibilities in authorizing, processing, type of control activity that should be ,. ,record@g,and review+g$ransactions should cqmmo.n,to.,alJ’agencies;. Similar wording is be separated among ~in&viduals, ‘:‘, used. Also, see Monitoring Standard, page 29, Ongoing Monitoring Activities,where separation of duties and responsibi.htiesis listed as an ongoing monitoring activity which agenciesshould incorporate into their ,’ ;, -intern@ control. ,,‘;%‘- ;_ .‘i’. structures.~ .” ,y;‘.. ;- ‘., I :.,,:!j: : ” ‘<*? _’ :.*.r&:;- I y ,~ ,. ;, ‘:. i . .’‘: ,;,,, ~ ::...;‘T.,, !.,‘i: : .-,: ,,‘,: ;;;~~~~‘,,‘~,‘.,~,.r ‘. ..,.,, ,,..- “:;,,-. 2;.,...,,._,,, :.,s,,, ,’ .I ,’ :..;, _. ,I : Page49:. I’.,,.-. ., : ,, ,:. 1 :_,-. GAo/AIMD-98-21.3.1 Proposed I&ision of I/C Stds (12/?7) Supervision. Qualified and continuous See Control En%onment Standard, pages supervision is to be provided to ensure that 1415, Assignment of Authority and internal control objectives are achieved. Responsibility, which states that implicit in the assignment of authority tid ~ responsibility is the requirement to provide qualified and continual supervision to keep employees aware of their duties and to know the extent of their accountability. See Control Environment Standard, page 15, Human Resource Policies and Practices, which calls for supervision, review, and approval of assigned work. Similar wording is used. Also, see Monitoring Standard, page 29, Ongoing Monitoring Activities .’ where appropriate organizational structure ., ,. and supervision are listed as ongoing monitoring activities which agenciesshould .’ incorporate into their internal control structures. A&ess to ,and Accountability for ’’ Sed Control Activities Standard, page ‘21-22. L Resources. Access to resources and Access Restrictions to ,and Accountability records is to .be limited to authotied ‘. for Resources:and Records is/listed as a individuals, and -accountibility for ‘the type of control activity that shomd be custody and use of resources is to be common to all agencies. Similar wording is assigned’and’maintained. Periodic used. comparison shall be’ made of the resources 2’ :. ‘. with the:,recorded accountability to’ .’ determine if the,.two agree. The frequency of ’ the comparison&hall ,be,,afunction of the ’ vulnerability of the asset. -. 1.. ,,. ,., .’ ‘.. ’ Audit Regolution Standard. : . ‘.. ,J .,..;, .‘ ; :‘.i‘ _. ,’ ,.. I. Prompt Rekolktion:... of Mudit. Findings. SeePrompt ‘Resolution of Audit Findings I,. ,,__, ,.L“” ir: ? 8.~ ;. ,,.:; iif ,;‘:P 4. ., .j. Standard; pages 353~similar wording. ‘, .-, ‘. r’? (’ i. .M&ageri&td:, .’ :c .tJj’ : .. ..*,, _, ; ,i^ ( ., ‘, l promptly “evaluatefindings,:and . recommendations reported by .auditors, i^. :L’ I .,: .’ d;AO/AIMD-9F21.3.1 Proposed Revision of I/C Stds (12/97) . . - l determine proper actions in response to audit findings and recommendations, and . .- - l compkte, within established time frames, all actions that correct or otherwise resolve the matters brought to management’s attention. ., .- I .i APPENDIX III - LAWS, REQUIREMENTS, AND PO&ICIES .- - AFFECTING INTERNAL CONTROL LAW/GUIDANCE EFFECT Budget and Accounting Establishes that GAO audits be directed at determining Procedures Act of l.!$iO the extent to which . . . . adequate internal financial control over operations is exercised. Requires the head of each executive agency to establish and maintain systems of accounting and internal control designed to provide, among other things, effective control over and accountability for all funds, property, and other assets. States that GAO audits shall consider the effectiveness of accounting organizations and systems, internal audit and control, and related administrative practices of the respective agencies. Foreign Corrupt Practices Requires the Securities and Exchange Commission Act of 1977 registrants to devise and maintain a system of internal accounting control sufficient to provide reasonable assurancesthat (1) transactions are executed in accordance with management’s general or specific authorization, (2) transactions are recorded as necessary . . . to maintain accountability for assets, (3) access to assets is permitted only in accordance with management’s general or specific authorization, and (4) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences. Federal Managers’, Requires GAO to prescribe standards.of internal Financial Integrity accounting and administrative control and agencies to Act of 1982 comply with them. Interm4 control provides reasonable assurance that (1) obligations and costs comply with applicable law,’ (2) assets are safeguarded against waste, loss, unauthorized use, or misappropriation, and (3) revenues and expenditures are recorded, and accounted for properly so that accounts and financial arid ” .. katistical reportsmay be prepared and the accountability of assetsmay .be: maintainedr :P@e52 ,. ..._- ‘,I. ;, GAO/AIMD-98-21.3.1 Proposed Revision of YC Stds .&Z/97’) -.- ! Requires that the internal control standards include standards to ensure the prompt resolution of all audit findings. Requires OMB to establish guidelines for agency evaluation of internal control to determine compliance with the internal control standards. ” ! . Requires agency heads to (1) annually evaluate their internal control using the OMB guidelines, and (2) annually report to ‘the President and the Congress15on whether the agency’s internal control comply with the standards and objectives’ set forth in the act. If they do not fully comply, the report must identify the weaknessesand describe plans for correction. The report is to Abesigned by the head of the agency. ] i 2 1 Single Audit Act of 1984’6 I Requires that audits of state or local governments P receiving federal financial assistance over specified . . amounts shall determine and report khether the government, department, agency, or, establishment has internal control systems to provide reasonable,‘a&nuance that it is managing,federal financial assistance programs in compliance with applicable laws and regulations. : ‘. ., -If the audit finds .&y~material weakness& the internal control the State or ) local government shall submit to appropriate federal officials a plan for corrections to eliminate such weakness or a statement describing the reasons that correction is not necessary. Such plan shall be consistent with the. audit resolution standard promulgated by GAO. .’ ” , ,‘. ,. ,., _: . :’ :,(‘., ., Chief Financial OfSicers States that the purposes of the Act are to ensure J Act af 1990 : ” improvement in agency systems of accounting; 3 ;. .I ‘financial management, and int&ngl’ control; to assure ” the issuance”of reliable financial information; and to i deter fraud, waste, ‘and abuse of, government resources. : .’ ‘; i :’ ’ ,, ( ..’ .,~.G ‘I. ; _, “. ., ..: ,’ ’ ., 1 I, : . -., ,,: ‘_ ;.- ,. j ,. .. ,,,‘_’ ” ,,: I- .,” 15TheFederal ReportsYEliminationand Sunset Act of I995 eliminates, effective for 2, 1999, the requirement to report to the Congress. ,.:> I ‘%e Single Audit Act Amendments of 1996included a number of changes to facilitate I m&e ilnifom ~~&~;~~erform&~,,~~ repoi$&,g m&..emefi~~~fof a typ& 6;f::,; ;:A,;..;: : ’ I- :., ~organizations;suchas metiuring~the dollarthresholdithat triggers an audit and requiring ‘,’ I ,wmum program coverage &f&d&~ ~&~c-. :. ,’ ,; : . ” ‘.- 1 : i :_ ! :p;Yb 5$ ., ‘. .-I (’ ,‘..;- ‘. _..:. .,,:; :j. GAOAIMD-98-21.3.1ProposedRevision of I/C Stds (U/97) Requires that agency CFOs develop and maintain integrated agency accounting and financial management systems, including financial reporting and internal control. . .- - Requires agency CFOs to ,prepare and transmit an annual report to the agency head and the Director of the OMB which shall include . . . a summary of the reports on internal accounting and administrative control systems submitted to the President,and the Congress under the amendments made by the Federal Managers’ Financial Integrity Act of 1982. Requires ,government corporations to. s,ubmit an annual management report to the Congress which includes a statement-on internal accounting and administrative control systems by the head of the management of the corporation, consistent with the requirements for agency statements on internal accounting and a~dministrative~controlsystems under the amendments made by the Federal Managers’ Pir+xial Integrity Act of 1982. Fedqal Deposit Irqzrance .Requires.that insured depository institutio,ns with assets Corporytion Jmproyement of .$I50 million’7 ,or more prepare an annual report Act of 1991 containing a statement ‘0%management’s - responsibilities for establishing and maintaining an ,,.. >_ I .adequate internal control structure. .The report must .also :con@inan assessment of the effectiveness of the internal control structure ;a and. .:. procedures; , .,. ,;.,) ,; : ‘.,. 1 s. ‘~ Requires that, with respect to such internal control. reports; the institution’s independent public accountant shall attest to and report separately on the assertions made by management. . . 1, ‘:’ Government eerfoymbnce The,Act requires .that ,an,agencys strategic plan contain and ResultsA%pf J@S? six key component& (1) a comprehensive agency .s.‘:,. , ‘::. (‘. mission statement, (2) agencywide long-term goals and .,:::. _’1:.obje.ctivesfor, aU major .functions,and operations, (3) approaches (or strategies) and the various resources needed to achieve the goals and objectives, (4) a relationship between the long-term goals and objectives arid the annual performance goals, (5) an identification of key factors, external to the agency and beyond its control,“..that ..j.~. could significantly affect the achievement of the strategic goals, and (6) a description of :hoti’ j’ . program evaluations were used.to ,estabhsh or revise strategic goals and a ;,:, ,. / .‘ :. :‘, I.. 1 :.“::; ,, ,’ ,, ,:,, .I I I, :/., a.,“- .‘,. / !7’I’heact provided the, Federal ,Deposit Insurance Corporation 1(PDIC). &th :auhority .to : I raise the $&5~million ,threshold., :J?DICsetthe reportingthreshold .for insured depository insti~tions foi assemof .$590 million or. more, (12 CFR -363). ;j .! _I’, - :. ‘:; ‘: I.. ,yp.& c& :.-:;‘,‘: ,.,.; , . ,.., .,. ,. _ :, ,:r .GAOMMD-9821.3.1 ProposedRevision of I/C Stds (ii/?7) schedule for future program evaluations. Internal control plays a major role in assisting management in achieving the agencies mission and providing meaningful information in ~&IS and reports. * Federal. F&&ncial St&es that much effort has been devoted to Management Improvement strengthening federal internal accounting control in the Act of 1996 past, and, while some progress has been made, accounting standards have not been uniformly implemented. Requires each agency to implement and maintain financial management systems that comply substantially with (1) system requirements, (2) applicable federal accounting standards, and (3) the Standard General Ledger. The system requirements are generally recognized as the requirementi contained in JFMIF% Federal Financial Management System Requirements series documents. These internal control standards.are consistent with the JFMIP . systems requirements. ., . Requires that each agency’s annual audit report state whether the agency’s financial management systems comply with the requirements and, if they do not tomply, then the report is to state all facts pertaining to the failme- to comply. Requires ‘the head ofleach agencyto deterkdr$whether there is ~ompliantie based on the -audit rei>oi-t and any other information and, -if,. systems’arenot in corripliance, the head,of the agency shall establish a,plan to bring the systems into compliance. : ~ Requires GAO to report annually to the appropriate committees..of the’: : Congress‘concerning compliance titk the requuements kd whether the . financial statements of the federal &&nment yhavebeen prepared in ~ .. accordance with applikable a&ounting’s~dards~ ‘and whether applicable accounting standards for the .federal ~overirment _’ are adequate. OMB Circular A-123, ’ Provides guidance to, federa.l r&nag&s on improving “Revised,.~~aiza~eriir’ent’ 1 ‘-the a’c6ou$&lity and effe&&,eness of federal programs Accountabilftjr, a& : : : t , ‘!^ ;.:!;a;l;id.o$r&o;r;~ by &~jjfi&,j$;; ‘&iesshg, correcwg, Control” and reportmg on management &ontr$ (internal control). Essentially, this. is the. OMR guidance for ( 1.; , :. (, ’ e%e&tive ‘agenciesrequired by the Federal Managers’ : ;_ : ‘-I. .,- .. ._.:, ‘. , . ‘. .,.._ ....’ ..,. .T -.. r:.: ,,- ,: .,r .“. ...:-;;,y-:; r....,,, :.,, ‘, .i:-. ‘, ‘;_I; --; .,. OMB Circular A-127, -’ .” Prescribes ~ol&es and standards for executke ( ‘., 1’ i ‘,‘page& ,, 1 ? 2: : ‘: , ,,:_ ,- _’: ‘. -” .;,‘--.. ’ ~~~~‘&k$lMD-9S-21.3.1 ‘ProposedRevisionof I/C Stds’(b/97) ’ i-- 8 “Financial Management departments and agencies to follow in developing, Sgs terns” operating, evaluating, and reporting on financial management systems including ,internal control, -T Policies and references pertaining to internal control in. this circular amplify policies in Circular A-123 or highlight requirements unique to financial management systems. ,It requires that financial’management systems include a system of internal control and requires that appropriate internal control be applied consistently to all system inputs, processing, and outputs. JFMIP Framework for Describes the framework for establishing and Federal Financial maintaining federal financial management systems, and Management Systems explains what is. meant by a single, integrated agency financial management system. Internal control is an essential part of the integrated financial management system, and this document conGins a chapter on internal control that is consistent with these internal control stand&&. Statement of Fedehal As a’ concepts statement, this document provides Financial Accounting general guidance.to the. Federal Accounting Standards Coricepts No. ‘1,’Obiectives Advisory Board as it deliberates on specific issues. It of Federijll Fintincidl ” is also intended to help others to -understand federal ReDortinQ’ j3ccountirgand financial reports. This specific concepts statement discusses the objectives of federal financial reporting. The fourth objective addresses,systems and control., It states that federal -i “financial reporting should assist report ,users in understanding whether frmi.nci,almanagement systems and internal. accounting and administrative / control’are adequate , toensure ,i, ,L that ,- ! l transactions are executed in accordance with budgetary andfinancial ._ ‘iaws and other requirements, are, consistent with, the :purpo~es author&e,d; and *arerecorded in accordance with fe.deral :ccounting _.. . : $&-j+; ”; :,-; ,: _ I i, ,- I_” .i: 1.. *“,%ets~e properly safeguarded to deter fraud, waste, and abuse; and ;. ‘. l performance measurement information is adequately supported. Page 56 ,.. 3 GAo/AIMD-9&21.3.1 ProposedR@sionof I/C St+ (W97) ,,,.,/. ;:. ;.: :.i ., ,- ‘_ APPENDIX IV MAJOR CONTRIBUTORS TO THIS EXPOSURE DRAFT ACCOUNTING AND INFORMATION Robert W. Gramling, Director, Corporate MANAGEMENT DIVISION Audits and Standards Bruce Michelson, Senior Assistant Director Larry J. Modlin, Assistant Director _‘I ,,:- ” . ; ;’ ,: : Page 57 i :, ! ,. Ordering Information ~ The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and Mastercard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by caiiing (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, ,please caIl(202) 512-6000 using a touchtone phone. A recorded menu wiII provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” in the body to: firstname.lastname@example.org or visit GAO’s World Wide Web Home Page at: httpz/Ywww.gao.gov .- ‘.’ :.; .” : ,_ :.. ,., : ._’ .:. .. ‘.. . ,. ,. ::’ ;‘.. :,_,, “i : ,’ _. ‘._,_ ‘. ,...; .<?.‘_ ‘. ‘.’ .. ,, ,- , “. ,_ ,.,,, _, ,,.., .-.,,./, :. ‘,.Y :. ! : .,:I (_. ., ( .,..‘_ ,I,.,, .j .’ United States General Accounting Office Washington, D.C. 20548-0001 Official Business Penalty for Priv&e Use $300 Address Correction Beauested
Standards for Internal Control in the Federal Government (Exposure Draft) (Superseded by AIMD-00-21.3.1)
Published by the Government Accountability Office on 1997-12-01.
Below is a raw (and likely hideous) rendition of the original report. (PDF)