oversight

Assessing Internal Controls in Performance Audits

Published by the Government Accountability Office on 1990-09-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                 United States General Acconntlng   Offlce
                 Office of Policy
GAO




CiAO,‘OP-4.1.4
Preface


              The government continues to be plagued by serious
              breakdowns in its internal control systems. Some
              problems that could have been substantially
              reduced by more effective internal controls include
              widespread abuses at the Department of Housing
              and Urban Development (mismanagement, theft,
              favoritism, and influence peddling involving billions
              of dollars); submission of falsified testing results to
              the Food and Drug Administration by the manufac-
              turers of generic drugs; the lack of internal controls
              in the savings and loan industry (involving hun-
              dreds of billions in cleanup costs); and continued
              uncontrolled growth of delinquent debts and taxes.

              Internal control problems are not new. Over the
              years, various initiatives have been taken to
              strengthen controls, but they have not always
              worked. Because of continuing control problems,
              GAO staff should place renewed emphasis on
              assessing internal controls related to performance
              audit/evaluation objectives.

              Internal controls are intended to provide reasonable
              assurance that program goals and objectives are
              met; resources are adequately safeguarded and effi-
              ciently utilized; reliable data are obtained, main-
              tained and fairly disclosed in reports; and laws and
              regulations are complied with.

              This guide describes how to assessinternal controls.
              The key steps are to

          9 determine the significance and the sensitivity of the
            program subject matter;
          l assess susceptibility of misuse of resources, failure
            to attain objectives, and noncompliance with laws
            and regulations;
          l identify and understand relevant internal
            control(s);
          l determine what is already known about control
            effectiveness;
          l assess adequacy of control design;


              Page 1                                     GAO/OP-4.1.4
    Preface




l   determine, through testing, if controls are effective;
    and
l   report on internal control assessments and discuss
    needed corrective actions.

    The assessment of internal controls requires some
    additional attention at the front end of a job. This
    assessment, if performed systematically as
    described in this guide, can constitute a basis for
    relying on internal controls to reduce the audit/
    evaluation testing otherwise required and thereby
    attain assignment objectives more quickly and with
    fewer staff resources.

    Chapter 1 provides a general overview of assessing
    internal controls. Chapter 2 explains how to assess
    risk exposure. Chapter 3 explains how to assess
    internal control systems. Chapter 4 discusses how
    to report control assessment results. Chapter 5 con-
    tains a case study to illustrate some concepts dis-
    cussed in earlier chapters,

    The major contributor to this guide was Ben B. Cox,
    Senior Policy Advisor. For further assistance,
    please call 202/275-6172.




    Werner Gros&ans
    Assistant Comptroller General
      for Policy




    Page 2                                    GAO/OP-4.1.4
Page 3   GAO,‘OP-4.1.4
Contents



Preface                                                                1

Chapter 1                                                              6
Internal Control   Government Auditing Standards
                   Internal Control Standards
Requirements       General Requirements
                   Comprehensive and Targeted Approaches           12
                   Defining Objectives                             13
                   Summary of Internal Control Assessments         14

Chapter 2                                                          16
Assessing Risk     Significance and Sensitivity                    16
                   Susceptibility                                  17
Exposure           “Red Flags”                                     19
                   Management Support                              20
                   Competence of Personnel                         21

Chapter 3                                                          23
hsessingInternal   Identifying Controls
                   Known Control Effectiveness
                                                                   24
                                                                   24
Control Systems    Assessing Control Design                        25
                   Are Controls Implemented?                       26
                   Proper Transaction Documentation                27

Chapter 4                                                          29
Reporting on       Government Auditing Standards                   29
                   Reporting Assessment Results                    30
Internal Control
Assessments
Chapter 5                                                          32
Case Study:        Background                                      32
                   Case Study Objective                            32
Guaranteed         Risk Exposure                                   33
Student Loans      Assessing Control Effectiveness                 36
                   Designing Audit/Evaluation Tests                40




                   Page 4                               GAO/OP-4.1.4
           Contents




Glossary                                                        44

Table      Table 2.1: Determining Extensiveness of              15
               Audit Tests




           Abbreviations

           FIA         Federal Managers’ Financial Integrity
                            Act
           GAO         General Accounting Office
           GPM         General Policy Manual
           IG          Inspector General
           OMB         Office of Management and Budget
           PM          Project Manual
           SAS         Statement on Auditing Standards


           Page 6                                    GAO,‘OP4.1.4
Chapter 1
Internal Control Requirements



               This chapter discusses

               the generally accepted government auditing stan-
               dards contained in GAO’s “Yellow Book,”
               GAO’s internal control standards,
               the general requirements and expectations for staff
               to assess internal controls in most assignments,
               the comprehensive and targeted approaches and
               when to use each approach,
               the importance of clearly defining assignment objec-
               tives, and
             . a summary of control assessments.


Government     GAO’s Government Auditing Standards (commonly
               referred to as the “Yellow Book”) and chapters 4.0
Auditing       of the General Policy Manual (GPM) and 4.1 of the
Standards      Project Manual (PM) require that GAO assignments
               consider agencies’ internal controls.

               For all audits, the standards provide that

               Due professional  care should be used in con-
               ducting the audit and in preparing related
               reports.

               To meet these standards, consideration must be
               given to the effectiveness and/or the efficiency of
               internal controls in determining the scope of the
               audit to be conducted, the methodology to use, and
               the extent of tests to perform.

               For performance audits/evaluations,   the standards
               state:

               An assessment should be made of applicable
               internal controls when necessary to satisfy the
               audit objectives.

               Management is responsible for establishing effec-
               tive internal controls. The lack of management con-
               tinuity in government units because of continuing


               Page 6                                   GAO/OP-4.1.4
Chapter 1
Internal
Controt Requirements




changes in elected legislative bodies and in adminis-
trative organizations increases the need for effec-
tive controls.

For financial audits, the standards state:

A sufficient  understanding    of the internal con-
trol structure is to be obtained to plan the audit
and to determine the nature, timing, and extent
of tests to be performed.

This guide emphasizes expectations for GAO’s per-
formance audits. Many concepts and principles dis-
cussed will also be useful in financial audits.
However, in financial audits, the primary guidance
GAO staff should follow is contained in the Amer-
ican Institute of Certified F’ublic Accountants’
Statements on Auditing Standards (SAS). The prin-
cipal statements relevant to internal controls are
SAS No. 55 (Consideration of the Internal Control
Structure in a Financial Statement Audit), SAS No.
60 (Communication of Internal Control Structure
Related Matters Noted in an Audit), and SAS No, 63
(Compliance Audit.ing Applicable to Government
Entities and Other ReciDients of Government Finan-
cial Assistance).

Over the past several years, significant changes
have impacted on the expectations of internal con-
trol systems. In 1977, the Foreign Corrupt Practices
Act amended the Securities Exchange Act of 1934
to require securities registrants to devise and main-
tain systems of internal accounting controls suffi-
cient to provide reasonable assurance that
transactions are executed, consistently with man-
agement’s authorization, transactions are recorded
to permit the preparation of financial statements
that are in accordance with applicable standards,
access to assets is permitted only in accordance
with management’s authorization, and recorded
accountability for assets is compared with existing
assets and appropriate action is taken with respect
to any differences. The 1977 act was the result of

Page 7                                   GAO/OP-4.1.4
                       Chapter 1
                       Internal
                       Control Requirements




                       numerous revelations that the falsification of
                       records and improper accounting had allowed busi-
                       nesses to make millions of dollars in questionable or
                       illegal payments.

                       There are proposed initiatives being considered
                       which would, if enacted, impact on the require-
                       ments and expectations of internal controls. For
                       example, the Securities and Exchange Commission
                       has proposed that management be required to issue
                       a report on its assessment of whether the internal
                       control system provides reasonable assurance as to
                       the integrity and reliability of financial reporting.
                       Auditors would be required to report any disagree-
                       ments with management’s report identified during
                       the audit of the financial statements.

                       As of August 1990, a proposed change to the Securi-
                       ties Exchange Act of 1934 was being considered
                       which would require both management and audi-
                       tors to address and report on internal controls
                       designed to meet the objectives of the Foreign Cor-
                       rupt Practices Act and protect against illegal acts

                       This guide supercedes GAO’s Guide for Incorpo-
                       rating Internal Control Evaluations Into GAO Work,
                       dated March 1987.                                       f


Internal Control       The Federal Managers’ Financial Integrity Act of
                        1982 (FIA) (31 1J.S.C.3512(b)) requires executive
Standards              agency heads to report annually to the President
                       and the Congress whether agency systems of
                       internal control comply with the act and with the
                       standards prescribed by the Comptroller General.
                       The act states that internal control systems are to
                       reasonably ensure that the following objectives are
                       achieved:

                   . Obligations and costs comply with applicable law.
                   l All assets are safeguarded against waste, loss,
                     unauthorized use, and misappropriation.


                       Page 8                                   GAO/OP-4.1.4
                      Chapter 1
                      Internal
                      Control Requirements




                    9 Revenues and expenditures applicable to agency
                      operations are recorded and accounted for properly
                      so that accounts and reliable financial and statis-
                      tical reports may be prepared and accountability of
                      the assets may be maintained.

                      The standards prescribed by the Comptroller Gen-
                      eral are set forth in a 1983 publication entitled
                      Standards for Internal Controls in the Federal
                      Government.

                      This publication states that:

                      “The ultimate responsibility for good internal controls rests
                      with management. Internal controls should not be looked
                      upon as separate, specialized systems within an agency.
                      Rather, they should be recognized as an integral part of each
                      system that management uses to regulate and guide its ogera-
                      tions. In this sense, internal controls are management con-
                      trols. Good internal controls are essential to achieving the
                      proper conduct of Government business with full accounta-
                      bility for the resources made available. They also facilitate
                      the achievement of management objectives by serving as
                      checks and balances against undesired actions. In preventing
                      negative consequences from occurring, internal controls help
                      achieve the positive aims of program managers.”

                      The prescribed standards are as follows:


General Standards     Reasonable assurance: Internal control systems are
                      to provide reasonable assurance that the objectives
                      of the systems will be accomplished.

                      Supportive attitude: Managers and employees are to
                      maintain and demonstrate a positive and supportive
                      attitude toward internal controls at all times.

                      Competent personnel: Managers and employees are
                      to have personal and professional integrity and are
                      to maintain a level of competence that allows them
                      to accomplish their assigned duties, as well as
                      understand the importance of developing and
                      implementing good internal controls.



                      Page 9                                         GAO,‘OP4. I .4
                     Chapter 1
                     Lntemal
                     Control Requirements




                     Control objectives: Internal control objectives are to
                     be identified or developed for each agency activity
                     and are to be logical, applicable, and reasonably
                     complete.

                     Control techniques: Internal control techniques are
                     to be effective and efficient in accomplishing their
                     internal control objectives.


Specific Standards   Documentation: Internal control systems and all
                     transactions and other significant events are to be
                     clearly documented, and the documentation is to be
                     readily available for examination.

                     Recording of transactions and events: Transactions
                     and other significant events are to be promptly
                     recorded and properly classified.

                     Execution of transactions and events: Transactions
                     and other significant events are to be authorized
                     and executed only by persons acting within the
                     scope of their authority.

                     Separation of duties: Key duties and responsibilities
                     in authorizing, processing, recording, and reviewing
                     transactions should be separated among
                     individuals.

                     Supervision: Qualified and continuous supervision
                     is to be provided to ensure that internal control
                     objectives are achieved.

                     Access to and accountability for resources: Access
                     to resources and records is to be limited to author-
                     ized individuals, and accountability for the custody
                     and use of resources is to be assigned and main-
                     tained. Periodic comparison shall be made of the
                     resources with the recorded accountability to deter-
                     mine whether the two agree. The frequency of the
                     comparison shall be a function of the vulnerability
                     of the asset.


                     Page 10                                   GAO/OP4.1.4
                    Chapter 1
                    Internal
                    Control Requirements




Audit Resol.ution   Prompt resolution of audit findings. Managers are
Standard            to (1) promptly evaluate findings and recommenda-
                    tions reported by auditors, (2) determine proper
                    actions in response to audit findings and rccommen-
                    dations, and (3) complete, within established time
                    frames, all actions that correct or otherwise resolve
                    the matters brought to management’s attention.


General             GAO expects that most audits/evaluations will
                    include an assessment of internal controls. Usually,
Requirements        t,hese assessments should be performed early during
                    the survey stage of an assignment

                    Assignments that are not audits/evaluations need
                    not comply with the internal control standard (see
                    GPM, p. 4.0-2). but an internal control assessment
                    might enable GAO staff to reduce the extensiveness
                    of work otherwise required to attain objective(s).
                    Initial and final determinations of whether internal
                    control assessments are required must be docu-
                    mented on GAO Form 185. [See PM, p. 4.1-45.)

                    In some assignments, staff might be able to attain
                    the objective(s) without evaluating internal oon-
                    trols. In such circumstances, staff should carefully
                    consider the possible adverse consequences of not
                    assessing internal controls or of the absence of
                    controls.

                    GAO might, for example, conclude that an agency
                    made a certain decision (e.g., to establish a new
                    office location) fairly and impartially, on the basis
                    of reasonable anticipation of costs and benefits.
                    However, if GAO did not assessrelevant internal
                    controls or if there are no applicable controls, there
                    is no assurance that similar decisions by the agency
                    have been or will be properly made.

                    If internal controls are extremely weak or nonexis-
                    tent, to attain the assignment’s objectives may be
                    impossible or an exorbitant investment of staff
                    resources may be required. In such cases, staff

                    Page 11                                   GAO/OP-4.1.4
                  Chapter 1
                  Internal
                  Control Requirements




                  should consider whether alternative objectives
                  would meet the user’s needs.

                  Internal control assessments can help auditors/
                  evaluators perform assignments more quickly, and
                  do work with greater assurance that objectives are
                  achieved. Such assessments help to

                . determine when internal controls can be relied on to
                  reduce audit testing,
                . focus on areas of weakness for emphasis during the
                  assignment, and
                . identify potential causes of problems or deficiencies
                  to which recommendations for corrective action can
                  be directed.

                  In assessing the extensiveness of needed controls,
                  GAO staff should consider that the cost of controls
                  should not exceed the benefit derived.

                  The action steps undertaken to assesscontrols may
                  simultaneously help attain other objectives, such as
                  resolving the overall assessment objective or
                  assessing compliance with applicable laws and reg-
                  ulations. (See Assessing Compliance With Appli-
                  cable Laws and Regulations, GAO/OP-4.1.2.)


Comprehensive      There are two basic approaches in evaluating
                   internal controls: the comprehensive and targeted
and Targeted       approaches.
Approaches
                   The comprehensive approach calls for staff to
                   determine the relative risks associated with the
                   entire internal control system of the entity being
                   reviewed and whether adequate controls exist and
                   whether they are working.

                   The comprehensive approach should be used if the
                   primary assignment objective is to make an all-
                   encompassing evaluation of a particular area. For
                   example, GAO might undertake an assignment to
                   evaluate the Postal Service’s controls over second-

                   Page 12                                 GAO/OP-4.1.4
             Chapter 1
             Internal
             Control Requirements




             class mail, including the eligibility of organizations
             to use the second-class rates, determining whether
             appropriate postage was collected, assessing
             whether processing and delivery of mail were
             appropriate, and other aspects of second-class mail.
             The comprehensive approach might also be used if
             it is anticipated that GAO will be doing extensive
             work in the entity and detailed knowledge of
             overall system effectiveness is needed to plan
             future work.

             Using the targeted approach, staff would limit the
             scope of internal control evaluations to fit the
             assignment’s objective(s). For example, if GAO’s
             objective is to evaluate eligibility of organizations to
             use second-class postage rates, the controls related
             to determining organizations’ eligibility will be
             assessed, but controls related to other issues, such
             as determining and collecting postage and
             processing and delivery, will not be of paramount
             concern.


Defining     Clearly defining the assignment objective(s) is a
             must at the beginning of each audit since it guides
Objectives   the extensiveness of internal control assessment, as
             well as the scope and methodology of the audit/
             evaluation work. Assignments with broad objec-
             tives are generally more difficult and require more
             staff resources and time than do assignments with
             limited objectives. Therefore, to the extent possible,
             objective(s) should be defined as precisely as pos-
             sible to preclude unnecessary work, while concomi-
             tantly meeting the assignment’s purpose.

             For example, the following objective might require
             extensive data gathering based on a random statis-
             tical sample:

             “Determine what percentage of program recipients are ineli-
             gible for benefits.”




             Page 13                                        GAO/OP4.1.4
                   Chapter 1
                   Internal
                   Control Requirements




                   In contrast, the following objective might be
                   resolved with less extensive statistical sampling:

                   “Determine if the agency consistently uses reasonable con-
                   trols to ensure that only eligible recipients receive benefits.”

                   Assuming that there is a legitimate need to make a
                   determination requiring sampling precision, the
                   results of an internal control assessment can be
                   used to help select the most appropriate and least
                   costly sampling methodology. (For a detailed dis-
                   cussion of sampling techniques, see GAO’s publica-
                   tion entitled Using Statistical Sampling, Transfer
                   Paper 6.)

                   If the assignment is a congressional request, GAO
                   should ensure that there is “a meeting of the
                   minds” as to objectives. The PM contains more
                   details on establishing objectives (ch. 6.1) and
                   working with the Congress (ch. 3.1).

                   In all cases, the objectives, scope, and methodology
                   section of the product should clearly describe the
                   scope of GAO’s work and the assumptions and basis
                   for GAO’s conclusions.


Summary of         The first step in evaluating internal controls is to
                   determine the risk exposure, which is the likelihood
Internal Control   of significant misuse of resources; failure to achieve
Assessments        program objectives; and noncompliance with laws,
                   regulations, and management policies, etc. The next
                   step in the process is to assessinternal control
                   effectiveness. The relationship of risk exposure and
                   internal control effectiveness determines the exten-
                   siveness of audit/evaluation tests as illustrated in
                   table 2.1 below.




                   Page 14                                             GAO/OP-4.1.4
                                Chapter 1
                                internal
                                Control Requirements




Table 2.1: Determining   Extensiveness    of Audit Tests


                                   Internal control              Extensiveness     of
  Risk exposure            +       effectiveness           =     audit tests



  High                             Weak                          High
                                   Adequate                      Moderate to high
                                   Strong                        Low to moderate


  Moderate                         Weak                          Moderate to high
                                   Adequate                      Moderate
                                   Strong                        Low


   LOW                             Weak                          Low to moderate
                                   Adequate                      Low
                                   Strong                        Very low


                                Chapter 2 describes how to assessrisk exposure,
                                and chapter 3 describes how to assessthe effective-
                                ness of internal controls.
                                                           * f * * *

                                Definitions of key terms used in this guide are con-
                                tained in the glossary.




                                Page 16                                          GAO/OP=LlA
Chapter 2
AssessingRisk Exposure


                           The key steps in determining risk exposure are to

                   . determine significance and sensitivity;
                   . evaluate the susceptibility of failure to attain pro-
                     gram goals, noncompliance with laws and regula-
                     tions, inaccurate reporting, or illegal or
                     inappropriate use of assets or resources;
                   l be alert to any “red flags;”
                   l consider management’s support; and
                   . consider competency of personnel.

                           These key steps are discussed in sequence in this
                           chapter, but in actual practice, these steps might be
                           performed concurrently with other assignment
                           steps. Also, in some circumstances these steps might
                           only require a very brief consideration, or staff may
                           already have sufficient knowledge to reach these
                           assessments.


Significance and           Significance refers to the importance of items,
                           events, information, matters, or problems. Fre-
Sensitivity                quently significance can be assessedin terms of dol-
                           lars, In other instances, assessing significance
                           requires a more subjective judgment. For example,
                           the unauthorized use of a government vehicle in a
                           single instance is normally considered of limited sig-
                           nificance, but unsafe operation of a nuclear power
                           plant is of great significance since a failure could be
                           a catastrophe.

                           Sensitivity refers to the likely perception and emo-
                           tional response by others to conditions or circum-
                           stances. Determining sensitivity requires judgment
                           based on the circumstances in each case, but some
                           issues likely to be judged as sensitive include

                       . issues that have received media coverage;
                       . issues that have been the subject of congressional
                         interest and inquiry;
                       l issues of a highly partisan nature;
                       9 issues involving mistreatment of children or the eld-
                         erly; and

                           Page 16                                   GAO/OP-4.1.4
                         Chapter 2
                         Assessing Risk Exposure




                     l   issues involving environmental contamination or
                         pollution.

                         A high degree of risk exposure may be indicated by
                         either the significance or the sensitivity of the sub-
                         ject matter under review, or matters may be both
                         significant and sensitive. For example, a former
                          high-level official used influence to convince an
                         agency to fund construction of certain projects, and
                         for minimal effort, the former official was paid a
                         large fee by the project developers. As reported,
                         these instances of imprudent use of public funds
                         could total hundreds of millions of dollars. Disclo-
                         sures of these instances received a great amount of
                         publicity.


Susceptibility           After determining significance and sensitivity, staff
                         should next assesssusceptibility. Susceptibility
                         refers to the propensity fur misuse of resources;
                         failure tv achieve program objectives; and noncom-
                         pliance with laws, regulations, and management,
                         policies, etc.

                         An item or an issue of large significance does not
                         necessarily involve great susceptibility. For
                         example, an item of military equipment might have
                         large significance because of its high cost, but it
                         might be so large and heavy or difficult and expen-
                         sive to operate that there is only a low risk of theft
                         or unauthorized use.

                         Staff should formulate questions to assess suscepti-
                         bility, based on the inherent nature of the subject
                         being audited/evaluated, and should maintain an
                         attitude of skepticism. Examples of questions to ask
                         follow.

                 l       Does the activity under audit involve liquid assets
                         that are readily marketable (e.g., cash or securities)
                         or could be misappropriated fur personal use (e.g.,
                         tools, cars, auto repair parts, or computers)?


                         Page 17                                   GAO,‘OP-4.1.4
        Chapter 2
        Assessing Risk Exposure




        Such assets are very susceptible to improper use or
        theft.

l       Do the incentives to make false representations or
        claims outweigh the penalties?

        If benefits are based on need, individuals will have
        an incentive to overstate their need in order to
        qualify or get a larger benefit. Normally, there
        should be a penalty or a deterrent to discourage
        persons from making false or exaggerated claims.

l       Are the requirements imposed on program partici-
        pants reasonable, or are they so complicated and
        cumbersome that failure to comply can be
        expected?

    . Does the activity have numerous transactions?

        The more transactions there are, the greater the
        chances of errors or irregularities. Also, a large
        number of transactions increases the difficulty of
        detecting errors or irregularities.

    l   Have important government activities/programs
        been contracted out or delegated to persons outside
        the government without an adequate control
        system?

        In 1987, fur example, the Department of Housing
        and Urban Development reported in its annual FIA
        report that inadequate property disposition controls
        provided the potential for closing agents (who were
        not government employees) to manipulate funds or
        take funds for their own use. In 1989, a closing
        agent testified that she had improperly used large
        amounts of government funds for unauthorized
        purposes.

    l   Are significant benefits of government programs
        extended to individuals or corporations by gvvern-
        ment officials whose actions are generally not sub-
        ject to public examinations?

        Page 18                                   GAO,‘OP-4.1.4
                      Chapter 2
                      Assessing Risk Exposure




                      Generally, if actions and/or decisions by govern-
                      ment officials are not subject to public examination
                      or scrutiny, there is a greater opportunity for those
                      officials to take actions or make decisions which are
                      not in the best interests of the government.

                  . Is the program or the activity designated as a high-
                    risk area by GAO or the Office of Management and
                    Budget (OMB)?

                      GAO and OMB have identified high-risk programs
                      and activities vulnerable to fraud, waste, abuse,
                      and mismanagement. GAO’s list of 14 areas includes
                      such items as guaranteed student loans, Department
                      of Defense major systems acquisitions, and manage-
                      ment and disposal of savings and loan assets worth
                      billions of dollars.

                  l   Have the agencies’ FIA reports included material
                      internal control weaknesses pertaining to the
                      activity?

                      If the responsible agency determines that a given
                      program or activity has major management or con-
                      trol problems, such information should be consid-
                      ered as prima facie evidence of a high degree of
                      susceptibility.


“Red Flags”           Staff should be alert for and consider any “red
                      flags,” including

              9 a prior history of improper program administration
                (e.g., agency officials’ convictions of bribery);
              l a history of material weaknesses described in
                annual FIA reports or prior audits;
              l agency officials obtaining financial or other benefits
                on the basis of decisions made or actions taken in an
                official capacity;
              l awarding of grants/contracts by high ranking offi-
                cials and inadequate review of such transactions;
              l poorly defined and documented internal control
                procedures;

                      Page 19                                  GAO/OP4.1.4
                 Chapter 2
                 Assessing Risk Exposure




             . recognition by agency officials/internal auditors
               that the agency’s automated systems are anti-
               quated, poorly designed, and/or fail to meet user
               needs;
               lack of, or an ineffective, internal audit function;
               complex transactions;
               lack of specific performance measures for the pro-
               gram/activity, thereby making accountability for
               results difficult or impossible to measure;
             . a high default rate on government-backed loans,
               high asset write-offs, continued losses of sensitive
               items, poor inventory controls, physical inventories
               not performed, inadequate reconciliation and reso-
               lution of major discrepancies, etc.;
               management inability to correctly establish
               priorities;
               activities dominated and controlled by a single
               person or a small group;
               a high rate of personnel turnover in key occupa-
               tions; and
               unreasonable explanations by auditee.


Management       Staff should consider whether management recog-
                 nizes the importance of, and has made a commit-
support          ment to implement, internal controls. Examples of
                 questions to ask follow.

             l Has management set the right “tone at the top” by
               clearly stating, in writing, its expectations for integ-
               rity, honesty, and impartiality?
             . Has management prescribed behavior standards,
               including a code of conduct, and conflict of interest
               regulations?                                               i
             l Does management support and comply with its
               written expectations, or is there a prevalent envi-
               ronment in which management ignores the stan-
               dards that apply to others?
             l Is there a strong and competent Inspector General
               (IG) organization?
             l Does management promptly respond when control
               problems are first identified, or have control


                 Page 20                                  GAO,‘OP-4.1.4
                        Chapter 2
                        Assessing Risk   Exposure




                        problems been repeatedly disclosed in prior audits/
                        evaluations by GAO, the IG, or others?
                    l   Has management reviewed the subject area during
                        its periodic FIA reviews? If so, was the FIA review
                        reasonably comprehensive?
                    l   Is management willing to discuss its approach
                        toward controlling assets and activities‘?
                l       Is management knowledgeable of the subject area
                        and potential problems?


Competence of           Managers and employees of the entity should have
                        personal and professional integrity and should
Personnel               maintain a level of competence that allows them to
                        accomplish their duties, as well as understand the
                        importance of developing and implementing good
                        internal controls. Examples of questions to ask
                        follow.

                0 Is there a stable management team with continuity
                   and a good reputation?
                9 Are employees periodically reminded of their
                   responsibilities under the code of conduct?
                9 Are employees’ financial holdings periodically
                   reviewed?
                l  Have technical skill requirements been prescribed?
                   Are they based on appropriate criteria and in accor-
                   dance with normal requirements of the particular
                   occupation?
                . Is there a sufficient number of employees to accom-
                  plish tasks?
                9 Do hiring and staffing decisions include verification
                  of education and experience?
                l Are employees provided needed formal and on-the-
                  job training?
                                                * * * * *

                        After considering the above elements, staff should
                        assess whether overall risk exposure is high, mod-
                        erate, or low.



                        Page 21                                 GAO/OP-4.1.4
Chapter 2
Assessing Risk Exposure




This assessment affects the level of expectations for
the strength of and the adherence to internal con-
trols, which, in turn, influences the extent of
required audit testing. Chapter 3 discusses these
issues in greater detail.




Page 22                                 GAO/OP4.1.4
Chapter 3
Assessing Internal control systems



                 After assessing risk exposure, GAO staff should
                 assess the effectiveness of the internal control
                 system. In most cases, internal control assessments
                 are necessary to ensure that GAO’s work will meet
                 assignment objectives and enable GAO’s products to
                 present results in a balanced perspective. Any
                 transaction, event, or award examined by GAO
                 might be atypical. Control assessments give evi-
                 dence whether transactions, events, or awards are
                 likely to be handled in the same manner. Therefore,
                 this tool can help determine whether GAO findings
                 represent prevalent conditions or isolated
                 occurrences.

                 Internal controls include (1) the objective(s), (2) the
                 control procedures used to provide reasonable
                 assurance that goals and objectives are met;
                 resources are adequately safeguarded and effi-
                 ciently used; reliable data are obtained, maintained,
                 and fairly disclosed in reports; and laws and regula-
                 tions are complied with, (3) the accounting system,
                 and (4) management’s monitoring system.

                 The key steps in assessing internal controls are to

             l identify and understand relevant internal
               control(s),
             l determine what is already known about control
               effectiveness,
             l assess adequacy of control design,
             9 determine if controls are properly implemented, and
             l determine if transactions are properly documented.

                 The objective of determining the effectiveness of
                 controls is to determine the extent to which they
                 can be relied on and thereby reduce the extent of
                 audit/evaluation testing. This relationship of risk
                 exposure and effectiveness of internal controls is
                 illustrated by table 2.1 on page 15. Obviously, the
                 greater reliance one places on internal controls, the
                 less testing may be required, thus showing a direct
                 payoff for this assessment effort,


                 Page 23                                    GAO/OP4.1.4
                Chapter 3
                Assessing Internal
                Control Systems




Identifying     Internal controls consist of the control objective(s),
                control procedures, the accounting system, and
Controls        management’s monitoring system.

                Control objectives are the positive effects that man-
                agement tries to attain or an adverse condition/neg-
                ative effect that management is seeking to avoid.

                Control procedures are the specific steps estab-
                lished by management to provide reasonable assur-
                ance that control objectives are achieved.

                Accounting system includes the methods and the
                records used to identify, assemble, analyze, classify,
                record, and report transactions and maintain
                accountability for assets, liabilities, revenues, and
                expenses.

                Monitoring system includes management’s methods
                for following up and checking on performance to
                ensure that control and accounting procedures are
                complied with. It includes internal auditing func-
                tions and systems for following-up on needed cor-
                rective actions.

                Judgment must be used to identify and understand
                controls related to the assignment’s objective(s). For
                example, if the objective is to determine whether an
                agency properly awards grants, the staff should
                focus on control procedures relating to evaluating
                and approving grant applications and on accounting
                system controls to ensure that sufficient funds are
                available for award and that excessive grants (indi-
                vidually or in total) are not made. Controls relating
                to recipient use of grant funds, although very
                important to the overall program, are not directly
                related to the objective and thus need not be
                reviewed.


Known Control   After identifying and understanding the controls
                relevant to the assignment’s objective(s), staff
Effectiveness   should consider what, if anything, is already known

                Page 24                                    GAO/OP4.1.4
                    Chapter 3
                    Assessing Internal
                    Control Systems




                    about control effectiveness. GAO or other audit/
                    evaluation organizations may have recently com-
                    pleted audits/evaluations that included assessments
                    of internal controls.

                    If GAO has recently completed such an assessment,
                    consideration should be given to how recent the
                    assessment was and whether assessment results
                    need to be updated with limited inquiries and tests.

                    If an assessment was recently made by another
                    audit/evaluation organization, staff should consider
                    how recent and thorough the assessment was, as
                    well as the organization’s reputation, qualifications,
                    and independence. A determination should then be
                    made whether to rely on the results, or do addi-
                    tional tests. (See the Yellow Rook, p. 3-14).

                    If prior control assessments by GAO or others are
                    considered to be sufficiently recent and thorough,
                    staff need not further assessinternal control design
                    and implementation.


Assessing Control   Considering the information developed during the
                    assessment of risk exposure and on the basis of
Design              skepticism, GAO staff should project what is most
                    likely to be wrong (misuse of resources, failure to
                    attain program objectives, etc.). Then, the internal
                    controls should be examined to determine if they
                    are logical, reasonably complete and are likely to
                    deter or detect possible misuse, failure, or errors.

                    Assume, for example, that GAO is assessing
                    whether an agency properly awards grants. Also
                    assume the assessment of risk exposure indicates
                    that the agency may be making grants even though
                    some recipients are not complying with require-
                    ments to (1) have approved affirmative action
                    plans, (2) fully account for prior grants, and (3)
                    prepare and obtain approval of environmental
                    impact statements relating to any proposed capital
                    improvement projects. Under these circumstances,

                    Page 25                                   GAO,‘OP-4.1.4
               Chapter 3
               Assessing Internal
               Control Systems




               staff should determine what, if any, controls are in
               place to ensure that applicants meet these criteria.

               For example, staff could determine whether affirm-
               ative action plans were in place, and whether the
               granting agency confirmed that such affirmative
               action plans for applicants were approved. If not,
               such an omission would represent a weakness that
               should be pursued through subsequent tests to
               determine if, in fact, grants are being made to appli-
               cants that did not have approved affirmative action
               plans.

               Controls should provide reasonable, but not abso-
               lute, assurance of deterring or detecting misuse of
               resources, failure to achieve program objectives,
               noncompliance with laws, regulations, and manage-
               ment policies, etc. In assessing the extensiveness of
               needed controls, GAO staff should consider the rea-
               sonableness of the controls in relation to the bene-
               fits to be gained.


Are Controls   Even though internal controls may be logical and
               well-designed and may seemingly be strong, system
Implemented?   effectiveness may be impaired if control procedures
               are not correctly and consistently used. For
               example, if an entity requires the manager’s
               approval for all purchases over $25,000 but the
               manager does not, in fact, review the purchase
               orders, this requirement will not effectively prevent
               or detect unnecessary purchases. Thus, the extent
               that control procedures are adhered to should be
               determined.

               Control procedures may not be complied with
               because management may override them;
               employees may secretly be working together (collu-
               sion) to avoid using or circumvent them; and
               employees may not be correctly applying them due
               to fatigue, boredom, inattention, lack of knowledge,
               or misunderstanding.


               Page 26                                   GAO/OP4.1.4
                        Chapter 3
                        Assessing Internal
                        Control Systems




                        Sufficient testing should be conducted to afford a
                        reasonable basis for determining whether the con-
                        trols are being consistently applied.


                        All transactions and events should be clearly docu-
Proper                  mented, and documentation should be readily avail-
Transaction             able for examination. Examples of questions to ask
Documentation           follow.

                  Are internal control objectives and procedures for-
                    l

                  malized in writing‘?
                l Have policies and procedures been systematically
                  documented, including policies and procedures
                  manuals or guides, personnel manuals, organization
                  charts, flow charts, or other written descriptions?
                9 Are all transactions and events adequately docu-
                  mented, and is documentation readily available for
                  examination‘?
                l Are FIA assessments thoroughly documented? Does
                  documentation show personnel involved in making
                  the assessments, evaluation methods used, key fac-
                  tors considered, tests performed, and conclusions
                  reached? Is other required documentation, for
                  example, current internal control directives and
                  management control plans, prepared and available?
                l Is budget justification data available, and is it con-
                  sistent with other accounting and budgetary data?
                                              ***+*

                        Detailed tests should be designed considering objec-
                        tive(s), risk exposure, and control strengths and
                        weaknesses.

                        For example, assume that an assignment’s objective
                        is to determine whether an agency properly awards
                        grants and GAO determines that (1) the controls
                        over determining applicants’ eligibility are strong
                        but (2) the controls over accounting for grant funds
                        are weak.



                        Page 27                                 GAO/OP-4.1.4
                     Chapter 3
                     Assessing Internal
                     Control Systems




                     In this case, tests for eligibility determination
                     should be restricted and might include taking a
                     small judgmental sample of approved and rejected
                     applications and independently confirming key
                     information relating to eligibility. Conversely, tests
                     over accounting for grant funds should be more
                     extensive. Tests might include confirming that (1)
                     all grantees actually received the funds to which
                     they were entitled, (2) funds were advanced to
                     grantees in accordance with regulations, (3) the
                     granting agency did not exceed amounts approved
                     by OMB, (4) any funds impounded by OMB or the
                     granting agency were reported as required by law,
                     and (5) accounting and budget records accurately
                     reflected actual transactions and balances.

                     Chapter 5 contains a case study illustrating how
                     risk exposure and internal control effectiveness
                     affect the extent of audit/evaluation tests.


Determining          In its audits/evaluations, GAO frequently uses data
Reliability of       that was processed by computer. Generally
                     accepted government auditing standards, in the
Computer-Processed   Yellow Book, require that when computer-
Data                 processed data are an important part of the audit
                     and the data’s reliability is crucial to assignment
                     objectives, the data’s relevance and reliability be
                     established.

                     Special concepts and techniques are necessary to
                     determine reliability of computer-processed data.
                     GAO has prepared a guide, entitled Assessing the
                     Reliability of Computer-Processed Data (GAO/OP-
                     8.1.3) that explains how to do this.




                     Page 28                                    GAO/OP4.1.4
Chapter 4
Reporting on Internal Control Assessments



              This chapter discusses the generally accepted gov-
              ernment auditing standards requirement for
              reporting results of internal control assessments. It
              also gives illustrative language to use when staff
              determine that controls can or cannot be relied on,
              or when control effectiveness was not assessed.


Government    For performance audits, the government auditing
              standards provide that:
Auditing
Standards     The report should identify the significant
              internal controls that were assessed, the scope
              of the auditor’s assessment work, and any signif-
              icant weaknesses found during the audit.

              Reporting on internal controls will vary depending
              on the significance of any weaknesses found and
              the relationship of those weaknesses to the audit
              objectives.

              Where the sole objective is to audit the internal con-
              trols, weaknesses found of significance to warrant
              reporting would be considered deficiencies and be
              so identified in the assignment product. The
              internal controls that were assessed would be iden-
              tified for full presentation of the findings.

              In performance audits, significant weaknesses in
              internal controls may be identified as a key source
              of deficient performance. In reporting such find-
              ings, the controls would be identified and the weak-
              nesses would be described as the “cause.”

              Any internal control weaknesses not included in the
              principal assignment product because of insignifi-
              cance, should be separately communicated to man-
              agement, preferably in writing. The principal
              product should make reference to control weak-
              nesses being separately communicated to
              management.



              Page 29                                   GAO/OP-4.1.4
                      Chapter 4
                      Reporting on Internal
                      Control Assessments




                      internal control weaknesses, the weaknesses should
Assessment            be discussed in the product and linked, as specifi-
                      cally as possible, to GAO’s Standards for Internal
                      Controls in the Federal Government. Significant
                      internal control weaknesses identified in GAO’s
                      work typically are presented as causes of problems
                      or deficiencies and should be accompanied by rec-
                      ommendations for corrective action. If significant
                      control weaknesses are identified, the product also
                      should disclose whether they were included in the
                      agency’s reporting under FIA. If the weakness is
                      significant and has not been reported under FIA,
                      GAO should recommend that it be reported.


Reporting on          If GAO’s assessments shows that controls are effec-
Reliable Controls     tive and can be relied on, a GAO product might
                      state:

                      “We reviewed the agency’s internal controls relating to
                      [describe controls]. Our tests showed that the agency’s con-
                      trols were logically designed and consistently applied. There
                      fore, we limited our tests to [describe tests performed].”


Reporting on          GAO’s control assessment may show that controls
Unreliable Controls   cannot be relied on. In these cases, a GAO product
                      might state:

                      “We reviewed the agency’s controls relating to [describe con-
                      trols]. Our assessment showed that the controls were not
                      properly designed and/or implemented, therefore we could
                      not rely on them in designing our audit approach. However
                      we conducted more extensive testing to achieve our objective
                      of [describe objective].”

                      The report should clearly state what alternate steps
                      and additional tests were done to ensure that the
                      transactions were properly handled and recorded.

                      When internal controls are unreliable, caution must
                      be used in relying on extended audit tests to achieve
                      assignment objectives. In some cases, achievement


                      Page 30                                         GAO/OP-4.1.4
                      Chapter 4
                      Reporting on Internal
                      Control Assessments




                      of objectives would require such extensive testing
                      that the costs of doing the work would be prohibi-
                      tive or impractical. In such cases, staff should con-
                      sider alternatives including redefining assignment
                      objectives, and/or reporting that objectives could
                      not be met because of the poor controls and the high
                      cost of alternative test procedures.


Reporting on          When controls are important to issues addressed in
Unassessed Controls   a product but were not reviewed, the product must
                      be qualified. For example:

                      “We did not review internal controls relating to the [describe
                      controls] because [cite reason]. Except as noted above, our
                      work was conducted in accordance with generally accepted
                      government auditing standards.”

                      If such a nonconformity statement is necessary, the
                      position must be discussed with the Assistant
                      Comptroller General for Planning and Reporting
                      before final processing.




                      Page 31                                          GAO/OP-4.1.4
Chapter 5
CaseStudy: Guasanteed Student Lmns


             Using a hypothetical case, this chapter illustrates
             how to assess internal controls and how assessment
             results influence the extent of audit/evaluation
             testing. It describes background and the case study
             objective, and it illustrates how to determine the
             extent of testing required.

             This case study illustrates how to apply the con-
             cepts discussed in earlier chapters, but in actual
             practice staff would resolve issues and perform
             these steps concurrently. Some issues would require
             only brief consideration, and others may have
             already been resolved by prior GAO efforts, or
             knowledge of the issues/environment.


Background   Under the Stafford Student Loan Program, private
             lenders make loans at low interest rates to qualified
             students attending approved educational institu-
             tions. The Department of Education pays the
             interest while the loan recipient attends school and
             for a stipulated time thereafter (the grace period).
             Education also funds special allowance payments
             during the life of the loan to provide lenders the dif-
             ference between the loan interest rate and the rate
             on go-day Treasury bills, plus 3-l/4 percent. If bor-
             rowers default on their loans, the intermediaries
             (usually state agencies) pay the lenders; Education
             stops paying interest and special allowances; and
             the intermediaries are, in turn, reimbursed up to
             100 percent by Education.


Case Study   For the purposes of this case study, assume that the
             assignment objective is as follows:
Objective
             Determine if Education is paying substantial
             amounts of interest and special allowance (interest
             subsidy) to lenders for ineligible students under the
             Stafford Student Loan Program or if incorrect
             amounts are being paid on behalf of eligible
             students.


             Page 32                                    GAO/OP4.I.4
                       Chapter 6
                       Case Study: Guaranteed
                       Student Loans




Risk Exposure          In determining risk exposure, consideration should
                       be given to: (1) significance and sensitivity; (2) the
                       susceptibility of making incorrect interest and spe-
                       cial allowance payments; (3) the existence of any
                       “red flags;” (4) indications of whether management
                       supports strong internal controls; and (5) the exis-
                       tence of sufficient, competent personnel to ade-
                       quately administer the controls.


Significance and       Determining the significance and sensitivity of stu-
Sensitivity            dent loans involves resolving questions such as the
                       following:

                   l What is the amount of funds involved?
                   l Is it increasing or decreasing?
                   l Is the program likely to continue, or is it likely to be
                     curtailed or eliminated?
                   9 Is there much congressional interest in student
                     loans‘? Is there much publicity in the media?


Susceptibility         In assessing susceptibility to incorrect interest and
                       special allowance payments staff should ask ques-
                       tions such aasthe following:

                   . Do students have an incentive to withhold informa-
                     tion and/or provide inaccurate information to
                      lenders, schools, intermediaries, and/or Education
                      that would cause interest and special allowance
                      overpayments?
                   l  Is there a lack of incentives for lenders, schools, and
                      intermediaries to carefully fulfill their program
                      responsibilities? Are the penalties for doing a poor
                     job insignificant or nonexistent?
                   l  Is there a practical penalty to discourage students
                     (or others) from making false claims? Are penalties
                      appropriately used?
                   l Are the administrative and paperwork require-
                     ments imposed on students, intermediaries, lenders,
                     schools, and others understandable and feasible to
                     meet’?


                       Page 33                                   GAO,‘OP4.1.4
                    Chapter 5
                    Case Study: Guaranteed
                    Student Loans




              + Have there been frequent changes in laws and
                regulations‘?
              l Are there many transactions?
              9 Are there many program participants (borrowers,
                lenders, schools, and intermediaries)‘?
              l Are significant program aspects (e.g., approving eli-
                gibility for loans and determining loan amounts)
                administered or determined by those not under
                Education’s direct control (e.g., employees of
                lenders, schools, and intermediaries)?
              . Have student loans been designated as a high-risk
                area by GAO or OMB?
              . Is program management highly decentralized? Are
                significant loan decisions (e.g., loan approval and
                certification of schools for program participation)
                made by many persons at widely scattered loca-
                tions? (Too much decentralization without adequate
                monitoring and control may increase the risk of
                erroneous decisions.)


“Red Flags”         Staff should be alert for and consider any “red
                    flags” or indicators of weakness. These might
                    include

                    a high rate or an increasing rate of loan defaults,
                    inadequate records to support lenders’ interest and
                    special allowance billings,
                    prosecution and/or conviction of persons for fraud-
                    ulently obtaining student loans, and
                    allegations or indications that some schools were
                    not providing quality instruction but were running
                    “diploma mills” to swindle students and the
                    government.


Management          Staff should also consider management’s support of
support             internal controls. Questions to ask include:

                  . Has management at the Department of Education
                    and at the intermediary, school, and lender levels
                    prescribed and adhered to a code of conduct and/or
                    conflict-of-interest regulations’?

                    Page 34                                  GAO/OP4.1.4
                      Chapter 6
                      Case Study: Guaranteed
                      Student Loans




                    . Have past efforts by GAO and other audit/evalua-
                      tion groups identified significant erroneous pay-
                      ments of interest and special allowances? If so, has
                      Education management promptly implemented cor-
                      rective action‘?
                    . Has the program been reviewed during Education’s
                      periodic FIA reviews? Was prompt management
                      action taken when needed?
                    9 Is Education management knowledgeable about the
                      program and actual or potential problems?
                l     Is Education management willing to discuss various
                      aspects of the program cooperatively?


Competence of         Finally, in assessing inherent risk, staff should con-
Personnel             sider the competence of personnel to adequately
                      and consistently administer the loan program. Ques-
                      tions to ask include:

                l Do lenders, schools, and/or intermediaries have dif-
                  ficulty maintaining a staff with adequate technical
                  knowledge to ensure accurate and consistent pro-
                  gram administration?
                . Has Education prescribed any academic, experi-
                  ence, and/or ethical standards for employees of the
                  intermediaries, lenders, or schools to ensure their
                  competence and integrity‘?
                l Are employees of Education, intermediaries,
                  lenders, and schools periodically reminded of their
                  responsibilities under the code of conduct?
                                               * * * * *

                      On the basis of the information obtained in response
                      to these questions, staff should be able to determine
                      whether risk exposure is high, moderate, or low.




                      Page 36                                  GAO/OP4.1.4
                             Chapter 5
                             Case Study: Guaranteed
                             Student Loam




                             After determining the degree of risk exposure, staff
Assessing Control            should assess internal control effectiveness by
Effectiveness
                         . identifying   and understanding controls,
                         l   determining what is already known about control
                             effectiveness,
                         l   assessing adequacy of control design,
                         l   determining if controls are properly implemented,
                             and
                         l   determining if transactions are properly
                             documented.


Identifying   Controls       Staff should use judgment in identifying and under-
                             standing controls. They should try to identify
                             important control features related to assignment
                             objective(s), and exclude from consideration fea-
                             tures not related to assignment objectives

                             In this case study, GAO should consider internal
                             controls relating to such matters as the following:

                         l the mathematical accuracy of lenders’ billings;
                         l lenders’ verifications with educational institutions
                           that borrowers are active students (if borrowers are
                           no longer active students or are not in the grace
                           period, they must begin loan repayment);
                         . verifying that students are attending schools that
                           have been approved by Education; and
                         l verifying that students met financial and other eli-
                           gibility requirements.

                             Conversely, GAO staff should probably exclude
                             from consideration internal controls not directly
                             related to the assignment objective, such as

                         l   the adequacy of Education’s review and approval of
                             lenders for program participation,
                         l   intermediaries’ efforts to recover amounts owed on
                             defaulted loans and
                         l   lending institutions’ compliance with nondiscrimi-
                             natory employment requirements.


                             Page 36                                   GAO,‘OP-4.1.4
                    Chapter 6
                    Case Study: Guaranteed
                    Student Loans




Known Control       After identifying controls related to assignment
Effectiveness       objectives, staff should consider what is already
                    known about the effectiveness of the controls. Such
                    knowledge may be based on GAO prior work (sup-
                    plemented by limited inquiries and tests, if needed,
                    to ensure GAO’s knowledge is up-to-date) or on
                    work by other audit/evaluation organizations. If the
                    work was done by other organizations, GAO staff
                    should make inquiries and perform tests to deter-
                    mine its acceptability and reliability. (See the
                    Yellow Book, p. 3-14).

                    What is already known about control effectiveness
                    influences additional work required. If, for
                    example, prior GAO work shows that Education has
                    strong controls to ensure the mathematical accu-
                    racy of lenders’ billings, further analysis of the con-
                    trols is not necessary.

                    Similarly, if a recent IG audit shows that Education
                    did not have adequate controls to ensure that stu-
                    dents received grades satisfactory to stay eligible
                    and if GAO inquiries establish the acceptability and
                    the reliability of the IG’s work, further GAO anal-
                    ysis of Education’s controls over this subject are not
                    necessary. Staff could then design the implementa-
                    tion audit/evaluation tests on the basis that those
                    controls are weak.


Assessing Control   The next step is to anticipate the events or transac-
Design              tions that are most likely to negatively affect
                    assignment objectives. Then staff should assess
                    whether the controls are adequate and reasonable
                    to prevent or detect the negative events or transac-
                    tions, assuming that the controls are faithfully
                    implemented.

                    For example, staff may have developed concerns
                    about whether recipients were obtaining loans
                    through two or more state agencies and thereby
                    receiving loans exceeding the maximum allowable
                    amount. To detect this negative condition (if it

                    Page 37                                   GAO/OP4.1.4
    Chapter 5
    Case Study: Guaranteed
    Student Loans




    exists), Education could use a computer to match
    names, addresses, and/or identification numbers of
    recipients in different states and follow up to
    resolve any apparent “matches.”

    Some additional negative events or transactions
    that might be anticipated or projected include the
    following:

l Applicants may be misrepresenting their financial
  or other circumstances to qualify for loans.
l Even though they may meet eligibility require-
  ments, applicants may be misreporting circum-
  stances to obtain larger loan amounts than they are
  entitled to.
9 Lenders may be incorrectly computing the amounts
  of interest subsidies. (This is a complex computa-
  tion for each loan. Correct interest subsidy depends
  on the difference in the loan rate and the Treasury
  interest rate; these rates vary according to when
  the loans were made.)
9 Special allowance payments may be excessive
  because lenders are not promptly determining when
  borrowers have completed school or dropped out.
  (Normally, when students graduate or drop out,
  they are required to begin loan repayment, after
  expiration of the grace period, and Education’s pay-
  ment of special allowances is reduced).
9 Duplicate interest and special allowance payments
  might be paid because the original lender might
  have “sold” a loan to another financial institution
  and both institutions may be claiming the interest
  and special allowance on that loan.

    In each of these anticipated conditions, staff should
    examine the design of internal controls to determine
    if the negative condition would be deterred or
    detected.




    Page 38                                  GAO,‘OP-4.1.4
                       Chapter 5
                       Case Study: Guaranteed
                       Student Loam




Are Internal           Internal controls are not effective unless they are
Controls               correctly and consistently applied. Therefore, in
                       addition to assessing the adequacy of control
Implemented?           design, GAO staff should confirm that the controls
                       have been correctly applied.

                       For example, if Education makes a periodic com-
                       puter comparison to detect any multiple loans to
                       single recipients, GAO staff might examine the
                       results of the comparison and determine what
                       action was taken to resolve apparent duplicate
                       loans. The extent of GAO’s examination would
                       depend on circumstances such as the suspected
                       severity of the problem, its apparent monetary sig-
                       nificance, the possibility of recovering any exces-
                       sive loan amounts with interest and special
                       allowances, and any indications of congressional
                       and/or public interest.


Are Transactions       Finally, in assessing internal control effectiveness,
Properly               staff should consider the adequacy of documenta-
                       tion. Questions to ask include:
Documented?
                   l Has Education prescribed written internal control
                     objectives and procedures for its staff, as well as
                     for the staffs of other organizations participating in
                     program administration?
                   9 Do lenders maintain complete loan files on active
                     loans, fully documenting all transactions and
                     information?
                   . Do lenders submit required documentation with
                     quarterly billings for interest and special
                     allowances?
                   l Do intermediaries maintain complete files on
                     defaulted loans, documenting such information as
                     borrowers’ current addresses and dates of contacts
                     made to attempt collection?




                       Page 39                                   GAO/OP-4.1.4
                       Chapter 6
                       Case Study: Guaranteed
                       Student Loam




Designing Audit/       As indicated by table 2.1 (see p. 15), the extent of
                       audit/evaluation tests is determined by the ade-
Evaluation Tests       quacy of internal controls and the risk exposure of
                       the issue. Table 2.1 depicts the principles involved
                       in determining the extent of testing but in practice,
                       this determination is a complex one, requiring
                       judgment.

                       Moreover, on some assignments, multiple determi-
                       nations may be needed. For example, the controls
                       relating to one audit objective may be strong,
                       whereas the controls related to another audit objec-
                       tive may be weak; the extent of testing would
                       depend on the circumstances.

                       The following discussions illustrate how testing
                       would be performed under risk exposure and
                       internal control conditions that require high, mod-
                       erate, and low testing.


High Level of          Assuming that extensive tests are required, they
Testing                could include the following:

                   . Select a sample of lenders’ billings that will provide
                     a reasonable basis for determining if substantial
                     excessive interest and special allowance payments
                     are being made.
                   . Verify that the students met financial and other eli-
                     gibility requirements by examining documents such
                     as loan applications and confirmation of tuition and
                     other relevant costs and applicants’ income and
                     assets.
                   9 Verify that the loans were approved by
                     intermediaries for insurance under the program.
                   9 Verify that Education approved schools for
                     participation.
                   l Determine if the correct rate was used to compute
                     interest.
                   l Determine if interest was calculated correctly.
                   l Determine if borrowers were active students (or
                     were in the grace period) to verify that Education
                     was liable for the interest.

                       Page 40                                   GAO/OP-4.1.4
                        Chapter 6
                        Case Study: Guaranteed
                        Student Loans




                    l   Recompute loan balances to verify that lenders cor-
                        rectly computed them.
                    l   Verify that lenders had the loans in their portfolios
                        for the billing periods in question. (Lenders often
                        sell loans to other institutions in what is commonly
                        referred to as the secondary market.)

                        Staff should also devise detailed tasks necessary to
                        perform each of these tests. For example, in deter-
                        mining whether borrowers were active students or
                        were in the grace period (thus making Education
                        liable for loan interest payments), specific tasks
                        could include the following:

                    l   Check lenders’ individual loan files to determine if
                        they inquired whether borrowers were active
                        students.
                    l   If schools responded to lender inquiries, note dates
                        of student attendance and credit hours taken.
                    l   Compare dates of attendance with the periods cov-
                        ered by the lenders’ interest billings paid by Educa-
                        tion to see if they correspond.
                    l   If lenders’ files do not contain needed information,
                        contact schools and request dates of student
                        attendance.

                        The above tests and tasks illustrate the steps that
                        might be taken in the example. In practice, the work
                        to be done must be adapted to the needs of each
                        assignment, including time and cost considerations.


Moderate Level of       If GAO’s assessment of risk exposure and internal
Testing                 control effectiveness indicates that a moderate
                        degree of audit testing is needed to satisfy assign-
                        ment objectives, the types of issues tested would be
                        similar to, but less comprehensive than the testing
                        described in the high level of testing discussed
                        above.

                        The focus of the audit/evaluation tests would
                        depend on the specific information developed
                        during the assessment of risk exposure and control

                        Page 41                                  GAO/OP-4.1.4
        Chapter 6
        Case Study: Guaranteed
        Student Loans




        effectiveness. For example, assume that an IG audit
        established that internal controls were strong, and
        GAO inquiries have determined that the IG audit

    . was comprehensive, examining interest and special
      allowance payments made to a representative
      sample of lenders over a wide geographical area;
    . was carefully planned and supervised, was based
      on a logical methodology, and included an evalua-
      tion of internal controls; and
    l identified some overpayments and underpayments
      and made recommendations for improvement,
      which Education management agreed to implement.

        However, for this illustration, assume that the IG
        audit did not verify that (1) Education had
        approved the schools for participation and (2)
        lenders had the loans in their portfolios.

        IJnder these circumstances, GAO’s audit tests might
        include the following:

l       Make supplemental tests of a small sample of trans-
        actions examined by the IG or similar transactions.
        Make t.he sample selection by judgmentally deter-
        mining the sample size, and randomly selecting
        transactions.
l       Determine if the promised corrective actions had
        been taken.
l       Select a sample of lenders’ billings and determine
        whether (1) t.hc schools were on Education’s
        approved list and (2) lenders had the loans in their
        portfolios.

        Staff are expected to design detailed tasks to per-
        form these tests. For example, to determine if
        lenders had the loans in their portfolios, the fol-
        lowing tasks might be performed:

l       Obtain a computer printout showing borrowers’
        identification numbers at lenders selected for
        examination.


        Page 4 2                                 GAO/OP4.1.4
                           Chapter 5
                           Case Study: Guaranteed
                           Student Loans




                       . Select a statistical sample from the printout and
                         examine lender documentation to confirm that loans
                         were in their portfolios.


Low Level of Testing       This case does not lend itself well to a low level of
                           testing because risk exposure is so high. But assume
                           that GAO’s assessment has confirmed that strong
                           controls are being consistently applied to prevent or
                           detect negative conditions that might reasonably
                           exist and are related to payment of interest and
                           special allowances. Assume further that a manage-
                           ment study group has recently completed a thor-
                           ough examination of interest and special allowance
                           payments and GAO’s inquiries confirmed that the
                           group’s work was comprehensive, both in scope and
                           content, and appropriate tests show that the work
                           was reliable. (See the Yellow Book, p. 3-14.)

                           Under these circumstances, further audit/evalua-
                           tion tests might be limited to the following:

                       l Follow-up on prior recommendations to assure
                         proper implementation and desired results. Check
                         whether any other audit/evaluation efforts have
                         been performed.
                       9 Update any procedural or system changes since the
                         last audit/evaluation.
                       l Ascertain if key personnel changes have been made
                         in areas covered by the audit.
                       l Select a small sample of lender’s billings and deter-
                         mine if (1) Education’s records show that borrowers
                         were eligible and (2) valid interest rates were used
                         and mathematical calculations are correct. Make a
                         sample selection by judgmentally determining the
                         sample size, and randomly making the selection of
                         billings.




                           Page 43                                 GAO/OP4.1.4
Glossary



Accounting System    The methods and the records established to iden-
                     tify, assemble, analyze, classify, record, and report
                     an organization’s transactions and to maintain
                     accountability for assets, liabilities, revenues, and
                     expenses.


Control Objective    The positive effect that management tries to attain
                     or an adverse condition/negative effect that man-
                     agement seeks to avoid.


Control Procedures   The specific steps that management has established
                     to provide reasonable assurance that control objec-
                     tives will be achieved.


Internal Controls    The (1) objectives, (2) control procedures used to
                     provide reasonable assurance that goals and objec-
                     tives are met; resources are adequately safeguarded
                     and efficiently used; reliable data are obtained,
                     maintained, and fairly disclosed in reports; and
                     laws and regulations are complied with, (3)
                     accounting system, and (4) management’s moni-
                     toring system.


Monitoring System    Management’s methods for following up and
                     checking on performance to ensure that control and
                     accounting procedures are complied with. It
                     includes internal auditing functions and systems for
                     following up on needed corrective actions.


Risk Exposure         The overall assessment of probability that the sub-
                     ject matter or the objective of the audit/evaluation
                      will have experienced significant misuse of
                      resources; failure to achieve program objectives;
                      noncompliance with laws, regulations, and manage-
                     ment policies, etc.




                     Page 44                                   GAO,‘OP-4.1.4
               Glossary




Sensitivity    The likely perception and emotional response by
               others to conditions or circumstances.


Significance   The importance of items, events, information, mat-
               ters, or problems.




               Page 46                                GAO/OP4.1.4