Standards for Internal Control in the Federal Government (Exposure Draft) (Superseded by AIMD-00-21.3.1)

Published by the Government Accountability Office on 1999-05-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                     United States General Accounting Office

GAO                  Internal Control

                     Exposure Draft

May 1999
                     Standards for Internal
                     Control in the Federal


           Federal policymakers and program managers are
           continually seeking ways to better achieve agencies’
           missions and program results, in other words, they
           are seeking ways to improve accountability. A key
           factor in helping achieve such outcomes and minimize
           operational problems is to implement appropriate
           internal control. Effective internal control also helps
           in managing change to cope with shifting
           environments and evolving demands and priorities.

           The Federal Managers’ Financial Integrity Act of 1982
           (FMFIA) requires the General Accounting Office (GAO)
           to issue standards for internal control in government.
           The standards provide the overall framework for
           internal control and Office of Management and
           Budget (OMB) Circular A-123, Management
           Accountability and Control, revised June 21, 1995,
           provides the specific requirements for assessing and
           reporting on controls. The term internal control in
           this document is synonymous with the term
           management control (as used in OMB Circular
           A-123) that covers all aspects of an agency’s
           operations (programmatic, financial, and

           Recently, other laws have prompted renewed focus
           on internal control. The Government Performance
           and Results Act of 1993 (commonly known as the
           Results Act) requires agencies to clarify their
           missions, set strategic and annual performance goals,
           and measure and report on performance toward those
           goals. Internal control plays a significant role in
           helping managers achieve those goals. Also, the
           Federal Financial Management Improvement Act of
           1996 identifies internal control as an integral part of
           improving financial management systems.

           In 1983, GAO drew on its previously issued guidance
           and experts throughout government, private sector,

           Page 1                        GAO/AIMD-99-21.3.1 (5/99)

and academic communities to develop and issue
“Standards for Internal Controls in the Federal
Government” to help agencies establish and maintain
effective internal control systems. Although those
standards remain conceptually sound, this update
gives greater recognition to the increasing use of
information technology to carry out critical
government operations and incorporates, as
appropriate, relevant updated internal control
guidance developed by the private sector.

Page 2                      GAO/AIMD-99-21.3.1 (5/99)

                 The following definition, objectives, and fundamental
                 concepts provide the foundation for the internal
                 control standards.

Definition and
                    Internal Control

                    An integral component of an organization’s
                    management that provides reasonable assurance
                    that the following objectives are being achieved:

                    • effectiveness and efficiency of operations,
                    • reliability of financial reporting, and
                    • compliance with applicable laws and regulations.

                 Internal control is a major part of managing an
                 organization. It comprises the plans, methods, and
                 procedures used to meet missions, goals, and
                 objectives and, in doing so, supports
                 performance-based management. Internal control also
                 serves as the first line of defense in safeguarding
                 assets. In short, internal control, which is
                 synonymous with management control, helps
                 government program managers achieve desired
                 results through effective stewardship of public

                 Internal control should provide reasonable assurance
                 that the objectives of the agency are being achieved in
                 the following categories:

                 Page 3                         GAO/AIMD-99-21.3.1 (5/99)

                        •   Effectiveness and efficiency of operations including
                            the use of the entity’s resources.
                        •   Reliability of financial reporting, including reports on
                            budget execution, financial statements, and other
                            reports for internal and external use.
                        •   Compliance with applicable laws and regulations.

                            A subset of these objectives is the safeguarding of
                            assets. Internal control should be designed to provide
                            reasonable assurance regarding prevention of or
                            prompt detection of unauthorized acquisition, use, or
                            disposition of an agency’s assets.

Concepts                        Internal Control

                                • A continuous built-in component of operations.
                                • Effected by people.
                                • Provides reasonable assurance, not absolute

                            The fundamental concepts provide the underlying
                            framework for designing and applying the standards.

Internal Control Is a       Internal control is not one event, but a series of
Continuous Built-in         actions and activities that occur throughout an
Component of                entity’s operations and on an ongoing basis. Internal
                            control should be recognized as an integral part of
Operations                  each system that management uses to regulate and
                            guide its operations rather than as a separate system
                            within an agency. In this sense, internal control is
                            management control that is built into the entity as a

                            Page 4                         GAO/AIMD-99-21.3.1 (5/99)

                      part of its infrastructure to help managers run the
                      entity and achieve their aims on an ongoing basis.

Internal Control Is   People are what make internal control work. The
Effected by People    responsibility for good internal control rests with all
                      managers. Management sets the objectives, puts the
                      control mechanisms and activities in place, and
                      monitors and evaluates the control. However, all
                      employees in the organization play important roles in
                      making it happen.

Internal Control      Management should design and implement internal
Provides Reasonable   control based on the related cost and benefits. No
Assurance, Not        matter how well designed and operated, internal
                      control cannot provide absolute assurance that all
Absolute Assurance    agency objectives will be met. Factors outside the
                      control or influence of management can affect the
                      entity’s ability to achieve all of its goals. For example,
                      human mistakes, judgment errors, and acts of
                      collusion to circumvent control can affect meeting
                      agency objectives. Therefore, once in place, internal
                      control provides reasonable, not absolute, assurance
                      of meeting agency objectives.

                      Page 5                          GAO/AIMD-99-21.3.1 (5/99)
Internal Control Standards

Presentation of
the Standards
                      The Five Standards for Internal Control

                      •   Control Environment
                      •   Risk Assessment
                      •   Control Activities
                      •   Information and Communications
                      •   Monitoring

                  These standards define the minimum level of quality
                  acceptable for internal control in government and
                  provide the basis against which internal control is to
                  be evaluated. These standards apply to all aspects of
                  an agency’s operations: programmatic, financial, and
                  compliance. However, they are not intended to limit
                  or interfere with duly granted authority related to
                  developing legislation, rule-making, or other
                  discretionary policy-making in an agency. These
                  standards provide a general framework. In
                  implementing these standards, management is
                  responsible for developing the detailed policies,
                  procedures, and practices to fit their agency’s
                  operations and to ensure that they are built into and
                  an integral part of operations.

                  In the following material, each of these standards is
                  presented in a short, concise statement. Additional
                  information is provided to help managers incorporate
                  the standards into their daily operations.

                  Page 6                         GAO/AIMD-99-21.3.1 (5/99)
              Internal Control Standards

                  Management and employees should establish
                  and maintain an environment throughout the
                  organization that sets a positive and supportive
                  attitude toward internal control and conscientious

              A positive control environment is the foundation for
              all other standards. It provides discipline and
              structure as well as the climate which influences the
              quality of internal control. Several key factors affect
              the control environment.

              One factor is the integrity and ethical values
              maintained and demonstrated by management and
              staff. Agency management plays a key role in
              providing leadership in this area, especially in setting
              and maintaining the organization’s ethical tone,
              providing guidance for proper behavior, removing
              temptations for unethical behavior, and providing
              discipline when appropriate.

              Another factor is management’s commitment to
              competence. Managers and employees need to
              possess and maintain a level of competence that
              allows them to accomplish their assigned duties, as
              well as understand the importance of developing and
              implementing good internal control. Management
              needs to identify appropriate knowledge and skills
              needed for various jobs and provide needed training,
              as well as candid and constructive counseling, and
              performance appraisals.

              Page 7                          GAO/AIMD-99-21.3.1 (5/99)
Internal Control Standards

Management’s philosophy and operating style also
affect the environment. This factor determines the
degree of risk the agency is willing to take and
management’s philosophy towards
performance-based management. Further, the attitude
and philosophy of management toward data
processing, accounting, personnel functions,
monitoring, and audits and evaluations can have a
profound effect on internal control.

Another factor affecting the environment is the
agency’s organizational structure. It provides
management’s framework for planning, directing, and
controlling operations to achieve agency objectives. A
good internal control environment requires that the
agency’s organizational structure clearly define key
areas of authority and responsibility and establish
appropriate lines of reporting.

The environment is also affected by the manner in
which the agency delegates authority and
responsibility throughout the organization. This
delegation covers authority and responsibility for
operating activities, reporting relationships, and
authorization protocols.

Good human capital policies and practices are
another critical environmental factor. This includes
establishing appropriate practices for hiring,
orienting, training, supervising, evaluating,
counseling, promoting, compensating, and
disciplining personnel. It also includes providing a
proper amount of supervision.

A final factor affecting the environment is the
agency’s relationship with the Congress and central
oversight agencies such as OMB. Congress mandates
the programs that agencies undertake and monitors
their progress and central agencies provide policy and

Page 8                        GAO/AIMD-99-21.3.1 (5/99)
                  Internal Control Standards

                  guidance on many different matters. In addition,
                  Inspectors General and internal senior management
                  councils can contribute to a good overall control

Risk Assessment
                      Internal control should provide for an assessment
                      of the risks the agency faces from both external
                      and internal sources.

                  A precondition to risk assessment is the
                  establishment of clear, consistent agency objectives.
                  Risk assessment is the identification and analysis of
                  relevant risks associated with achieving such
                  objectives and forming a basis for determining how
                  risks should be managed.

                  Management needs to comprehensively identify risks
                  and should consider all significant interactions
                  between the entity and other parties as well as
                  internal factors at both the entity-wide and activity
                  level. Risk identification methods may include
                  qualitative and quantitative ranking activities,
                  management conferences, forecasting and strategic
                  planning, and consideration of findings from audits
                  and other assessments.

                  Once risks have been identified, they should be
                  analyzed for their possible effect. Risk analysis
                  generally includes estimating the risk’s significance,
                  assessing the likelihood of its occurrence, and
                  deciding how to manage the risk and what actions
                  should be taken.

                  Page 9                         GAO/AIMD-99-21.3.1 (5/99)
                     Internal Control Standards

                     Because governmental, economic, industry,
                     regulatory, and operating conditions continually
                     change, mechanisms should be provided to identify
                     and deal with any special risks prompted by such

Control Activities
                          Internal control activities help ensure that
                          management's directives are carried out. The
                          control activities should be effective and efficient
                          in accomplishing the agency's control objectives.

                     Control activities are the policies, procedures,
                     techniques, and mechanisms that enforce
                     management’s directives, such as the process of
                     adhering to requirements for budget development and
                     execution. They help ensure that actions are taken to
                     address risks. Control activities are an integral part of
                     an entity’s planning, implementing, reviewing, and
                     accountability for stewardship of government
                     resources and achieving effective results.

                     Control activities occur at all levels and functions of
                     the entity. They include a wide range of diverse
                     activities such as approvals, authorizations,
                     verifications, reconciliations, performance reviews,
                     maintenance of security, and the creation and
                     maintenance of related records which provide
                     evidence of execution of these activities as well as
                     appropriate documentation.

                     Page 10                          GAO/AIMD-99-21.3.1 (5/99)
                       Internal Control Standards

                       Activities may be classified by specific control
                       objectives, such as ensuring completeness and
                       accuracy of information processing.

Examples of Control
                            • Top level reviews of actual performance,
                            • Reviews by management at the functional or
                              activity level,
                            • Management of human capital,
                            • Controls over information processing,
                            • Physical control over vulnerable assets,
                            • Establishment and review of performance
                              measures and indicators,
                            • Segregation of duties,
                            • Proper execution of transactions and events,
                            • Accurate and timely recording of transactions
                              and events,
                            • Access restrictions to and accountability for
                              resources and records, and
                            • Appropriate documentation of transactions and
                              the internal control structure.

                       There are certain categories of control activities that
                       are common to all agencies. Examples include the

Top Level Reviews of   Management should track major agency achievements
Actual Performance     and compare these to the plans, goals, and objectives
                       established under GPRA.

                       Page 11                        GAO/AIMD-99-21.3.1 (5/99)
                         Internal Control Standards

Reviews by Management    Managers also need to compare actual performance
at the Functional or     to planned or expected results throughout the
Activity Level           organization.

Management of Human      Effective management of an organization’s
Capital                  employees—its human capital—is essential to
                         achieving results and an important part of internal
                         control. Management should view human capital as
                         an asset rather than a cost. Only when the right
                         employees for the job are on board and are provided
                         the right training, tools, strucutre, incentives, and
                         responsibilities is operational success possible.
                         Management should ensure that skill needs are
                         continually assessed and that the organization is able
                         to obtain employees that have the required skills that
                         match those necessary to achieve organizational
                         goals. Training should be aimed at developing and
                         retaining employee skill levels to meet changing
                         organizational needs. Performance evaluation and
                         feedback, supplemented by an effective reward
                         system, should be designed to help employees
                         understand the connection between their
                         performance and the organization’s success. As a part
                         of its human capital planning, management should
                         also consider how best to retain valuable employees,
                         plan for their eventual succession, and ensure
                         continuity of needed skills and abilities.

Controls Over            A variety of controls are used. Examples include edit
Information Processing   checks of data entered, accounting for transactions in
                         numerical sequences, comparing file totals with
                         control accounts, and controlling access to data, files,
                         and programs.

Physical Control Over    Examples include security for and limited access to
Vulnerable Assets        assets such as cash, securities, inventories, and some
                         equipment which might be vulnerable to risk of loss
                         or unauthorized use. Such assets should be

                         Page 12                       GAO/AIMD-99-21.3.1 (5/99)
                          Internal Control Standards

                          periodically counted and compared to control

Establishment and         Activities need to be established to monitor
Review of Performance     performance measures and indicators. These controls
Measures and Indicators   could call for comparisons and assessments relating
                          different sets of data to one another so that analyses
                          of the relationships can be made and appropriate
                          actions taken. Controls should also be aimed at
                          validating the propriety and integrity of both
                          organizational and individual performance measures
                          and indicators.

Segregation of Duties     Key duties and responsibilities need to be divided or
                          segregated among different people to reduce the risk
                          of error or fraud. This should include separating the
                          responsibilities for authorizing transactions,
                          processing and recording them, reviewing the
                          transactions, and handling any related assets. No one
                          individual should control all key aspects of a
                          transaction or event.

Proper Execution of       Transactions and other significant events should be
Transactions and Events   authorized and executed only by persons acting
                          within the scope of their authority. This is the
                          principal means of assuring that only valid
                          transactions to exchange, transfer, use, or commit
                          resources and other events are initiated or entered
                          into. Authorizations should be clearly communicated
                          to managers and employees.

Accurate and Timely       Transactions should be promptly recorded to
Recording of              maintain their relevance and value to management in
Transactions and Events   controlling operations and making decisions. This
                          applies to the entire process or life cycle of a
                          transaction or event from the initiation and
                          authorization through its final classification in
                          summary records. In addition, control activities help

                          Page 13                      GAO/AIMD-99-21.3.1 (5/99)
                         Internal Control Standards

                         to ensure that all transactions are completely and
                         accurately recorded.

Access Restrictions to   Access to resources and records should be limited to
and Accountability for   authorized individuals, and accountability for their
Resources and Records    custody and use should be assigned and maintained.
                         Periodic comparison of resources with the recorded
                         accountability should be made to help reduce the risk
                         of errors, fraud, misuse, or unauthorized alteration.

Appropriate              Internal control and all transactions and other
Documentation of         significant events need to be clearly documented, and
Transactions and the     the documentation should be readily available for
Internal Control         examination. The documentation should appear in
Structure                management directives, administrative policies, or
                         operating manuals and may be in paper or electronic

                         These examples are meant only to illustrate the range
                         and variety of control activities that may be useful to
                         agency managers. They are not all-inclusive and may
                         not include particular control activities that an agency
                         may need.

                         Furthermore, an agency’s entire control structure
                         should be flexible to allow agencies to tailor control
                         activities to fit their special needs. The specific
                         control activities used by a given agency may be
                         different from those used by others due to a number
                         of factors. These could include specific threats they
                         face and risks they incur; differences in objectives;
                         managerial judgment; size and complexity of the
                         organization; operational environment; sensitivity and
                         value of data; and requirements for system reliability,
                         availability, and performance.

                         Page 14                       GAO/AIMD-99-21.3.1 (5/99)
                          Internal Control Standards

Special Control
Activities for
Information Systems              • General Control
                                 • Application Control

                          There are two broad groupings of information
                          systems control - general control and application
                          control. General control applies to all information
                          systems—mainframe, minicomputer, network, and
                          end-user environments. Application control is
                          designed to cover the processing of transactions
                          within the application software.

General Control           This category includes control over data center
                          operations, system software acquisition and
                          maintenance, access security, and application system
                          development and maintenance. More specifically:

                      •   Data center operations control includes job set-up
                          and scheduling, operations activities, backup and
                          recovery procedures, and contingency and disaster
                      •   System software control includes control over the
                          acquisition, implementation, and maintenance of all
                          system software including the operating system,
                          data-based management systems,
                          telecommunications, security software, and utility
                      •   Access security control protects the systems and
                          network from inappropriate access and unauthorized
                          use by hackers and other trespassers or inappropriate
                          use by agency personnel. Specific control activities
                          include frequent changes of dial-up numbers; use of
                          dial-back access; restrictions on users to allow access
                          only to system functions that they need; software and

                          Page 15                        GAO/AIMD-99-21.3.1 (5/99)
                          Internal Control Standards

                          hardware “firewalls” to restrict access to assets,
                          computers, and networks by external persons; and
                          frequent changes of passwords and deactivation of
                          former employees passwords.
                      •   Application system development and maintenance
                          control provides the structure for safely developing
                          new systems and modifying existing systems.
                          Included are documentation requirements;
                          authorizations for undertaking projects; and reviews,
                          testing, and approvals of development and
                          modification activities before placing systems into
                          operation. An alternative to in-house development is
                          the procurement of commercial software, but control
                          is necessary to ensure that selected software meets
                          the user’s needs, and that it is properly placed into

Application Control       This category of control is designed to help ensure
                          completeness, accuracy, authorization, and validity of
                          all transactions during application processing.
                          Control should be installed at an application’s
                          interfaces with other systems to ensure that all inputs
                          are received and are valid and outputs are correct and
                          properly distributed. An example is computerized edit
                          checks built into the system to review the format,
                          existence, and reasonableness of data.

                          General and application control over computer
                          systems are interrelated. Both are needed to ensure
                          complete and accurate information processing. If the
                          general control is inadequate, the application control
                          is unlikely to function properly and could be
                          overridden. The application control assumes effective
                          general control provides immediate feedback on
                          errors, mismatches, incorrect format of data, and
                          inappropriate data access.

                          Because information technology changes rapidly,
                          controls must evolve to remain effective. Changes in

                          Page 16                       GAO/AIMD-99-21.3.1 (5/99)
                  Internal Control Standards

                  technology will change the specific control activities
                  that may be employed and how they are implemented,
                  but the basic requirements of control will not have
                  changed. As more powerful computers place more
                  responsibility for data processing in the hands of the
                  end users, the needed controls should be identified
                  and selected.

Information and
                      Information should be recorded and communicated
                      to management and others within the entity who
                      need it and in a form and within a time frame that
                      enables them to carry out their internal control and
                      other responsibilities.

                  For an entity to run and control its operations, it must
                  have relevant, reliable, and timely communications
                  relating to internal as well as external events.
                  Information is needed throughout the agency to
                  achieve all of its objectives. Pertinent information
                  should be identified, captured, and distributed in a
                  form and time frame that permits people to perform
                  their duties efficiently.

                  Effective communications should occur in a broad
                  sense with data flowing down, across, and up the
                  organization. In additional to internal
                  communications, management should ensure there
                  are adequate means of communicating with, and
                  obtaining information from, external stakeholders
                  that may have a significant impact on the agency
                  achieving its goals.

                  Page 17                          GAO/AIMD-99-21.3.1 (5/99)
             Internal Control Standards

               Internal control monitoring should assess the quality
               of performance over time and ensure that the findings
               of audits and other reviews are promptly resolved.

             Internal control should generally be designed to
             assure that ongoing monitoring occurs in the course
             of normal operations. It is performed continually and
             is ingrained in the agency’s operations. It includes
             regular management and supervisory activities,
             comparisons, reconciliations, and other actions
             people take in performing their duties.

             Separate evaluations of control can also be useful by
             focusing directly on the controls’ effectiveness at a
             specific time. The scope and frequency of separate
             evaluations should depend primarily on the
             assessment of risks and the effectiveness of ongoing
             monitoring procedures. Separate evaluations may
             take the form of self-assessments as well as review of
             control design and direct testing of internal control.
             Separate evaluations also may be performed by the
             agency Inspector General or an external auditor.
             Deficiencies found during ongoing monitoring or
             through separate evaluations should be
             communicated to the individual responsible for the
             function and also to at least one level of management
             above that individual. Serious matters should be
             reported to top management.

             Monitoring of internal control should include policies
             and procedures for ensuring that audit findings are
             promptly resolved. Managers are to (1) promptly
             evaluate audit findings, including those showing

             Page 18                        GAO/AIMD-99-21.3.1 (5/99)
Internal Control Standards

deficiencies and recommendations reported by
auditors, (2) determine proper actions in response to
audit findings and recommendations, and
(3) complete, within established time frames, all
actions that correct or otherwise resolve the matters
brought to management’s attention. The resolution
process begins when audit results are reported to
management, and is completed only after action has
been taken that (1) corrects identified deficiencies,
(2) produces improvements, or (3) demonstrates the
audit findings and recommendations do not warrant
management action.

Page 19                      GAO/AIMD-99-21.3.1 (5/99)
Ordering Information

The first copy of each GAO report and testimony
is free. Additional copies are $2 each. Orders
should be sent to the following address,
accompanied by a check or money order made
out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards
are accepted, also. Orders for 100 or more
copies to be mailed to a single address are
discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th & G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling
(202) 512-6000 or by using fax number
(202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available
reports and testimony. To receive facsimile
copies of the daily list or any list from the past
30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide
information on how to obtain these lists.

For information on how to access GAO reports
on the INTERNET, send an e-mail message with
"info" in the body to: info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:
United States
                                    Bulk Rate
General Accounting Office
                               Postage & Fees Paid
Washington, D.C. 20548-0001
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested