United States General Acconntlng Offlce Office of Policy GAO CiAO,‘OP-4.1.4 Preface The government continues to be plagued by serious breakdowns in its internal control systems. Some problems that could have been substantially reduced by more effective internal controls include widespread abuses at the Department of Housing and Urban Development (mismanagement, theft, favoritism, and influence peddling involving billions of dollars); submission of falsified testing results to the Food and Drug Administration by the manufac- turers of generic drugs; the lack of internal controls in the savings and loan industry (involving hun- dreds of billions in cleanup costs); and continued uncontrolled growth of delinquent debts and taxes. Internal control problems are not new. Over the years, various initiatives have been taken to strengthen controls, but they have not always worked. Because of continuing control problems, GAO staff should place renewed emphasis on assessing internal controls related to performance audit/evaluation objectives. Internal controls are intended to provide reasonable assurance that program goals and objectives are met; resources are adequately safeguarded and effi- ciently utilized; reliable data are obtained, main- tained and fairly disclosed in reports; and laws and regulations are complied with. This guide describes how to assessinternal controls. The key steps are to 9 determine the significance and the sensitivity of the program subject matter; l assess susceptibility of misuse of resources, failure to attain objectives, and noncompliance with laws and regulations; l identify and understand relevant internal control(s); l determine what is already known about control effectiveness; l assess adequacy of control design; Page 1 GAO/OP-4.1.4 Preface l determine, through testing, if controls are effective; and l report on internal control assessments and discuss needed corrective actions. The assessment of internal controls requires some additional attention at the front end of a job. This assessment, if performed systematically as described in this guide, can constitute a basis for relying on internal controls to reduce the audit/ evaluation testing otherwise required and thereby attain assignment objectives more quickly and with fewer staff resources. Chapter 1 provides a general overview of assessing internal controls. Chapter 2 explains how to assess risk exposure. Chapter 3 explains how to assess internal control systems. Chapter 4 discusses how to report control assessment results. Chapter 5 con- tains a case study to illustrate some concepts dis- cussed in earlier chapters, The major contributor to this guide was Ben B. Cox, Senior Policy Advisor. For further assistance, please call 202/275-6172. Werner Gros&ans Assistant Comptroller General for Policy Page 2 GAO/OP-4.1.4 Page 3 GAO,‘OP-4.1.4 Contents Preface 1 Chapter 1 6 Internal Control Government Auditing Standards Internal Control Standards Requirements General Requirements Comprehensive and Targeted Approaches 12 Defining Objectives 13 Summary of Internal Control Assessments 14 Chapter 2 16 Assessing Risk Significance and Sensitivity 16 Susceptibility 17 Exposure “Red Flags” 19 Management Support 20 Competence of Personnel 21 Chapter 3 23 hsessingInternal Identifying Controls Known Control Effectiveness 24 24 Control Systems Assessing Control Design 25 Are Controls Implemented? 26 Proper Transaction Documentation 27 Chapter 4 29 Reporting on Government Auditing Standards 29 Reporting Assessment Results 30 Internal Control Assessments Chapter 5 32 Case Study: Background 32 Case Study Objective 32 Guaranteed Risk Exposure 33 Student Loans Assessing Control Effectiveness 36 Designing Audit/Evaluation Tests 40 Page 4 GAO/OP-4.1.4 Contents Glossary 44 Table Table 2.1: Determining Extensiveness of 15 Audit Tests Abbreviations FIA Federal Managers’ Financial Integrity Act GAO General Accounting Office GPM General Policy Manual IG Inspector General OMB Office of Management and Budget PM Project Manual SAS Statement on Auditing Standards Page 6 GAO,‘OP4.1.4 Chapter 1 Internal Control Requirements This chapter discusses the generally accepted government auditing stan- dards contained in GAO’s “Yellow Book,” GAO’s internal control standards, the general requirements and expectations for staff to assess internal controls in most assignments, the comprehensive and targeted approaches and when to use each approach, the importance of clearly defining assignment objec- tives, and . a summary of control assessments. Government GAO’s Government Auditing Standards (commonly referred to as the “Yellow Book”) and chapters 4.0 Auditing of the General Policy Manual (GPM) and 4.1 of the Standards Project Manual (PM) require that GAO assignments consider agencies’ internal controls. For all audits, the standards provide that Due professional care should be used in con- ducting the audit and in preparing related reports. To meet these standards, consideration must be given to the effectiveness and/or the efficiency of internal controls in determining the scope of the audit to be conducted, the methodology to use, and the extent of tests to perform. For performance audits/evaluations, the standards state: An assessment should be made of applicable internal controls when necessary to satisfy the audit objectives. Management is responsible for establishing effec- tive internal controls. The lack of management con- tinuity in government units because of continuing Page 6 GAO/OP-4.1.4 Chapter 1 Internal Controt Requirements changes in elected legislative bodies and in adminis- trative organizations increases the need for effec- tive controls. For financial audits, the standards state: A sufficient understanding of the internal con- trol structure is to be obtained to plan the audit and to determine the nature, timing, and extent of tests to be performed. This guide emphasizes expectations for GAO’s per- formance audits. Many concepts and principles dis- cussed will also be useful in financial audits. However, in financial audits, the primary guidance GAO staff should follow is contained in the Amer- ican Institute of Certified F’ublic Accountants’ Statements on Auditing Standards (SAS). The prin- cipal statements relevant to internal controls are SAS No. 55 (Consideration of the Internal Control Structure in a Financial Statement Audit), SAS No. 60 (Communication of Internal Control Structure Related Matters Noted in an Audit), and SAS No, 63 (Compliance Audit.ing Applicable to Government Entities and Other ReciDients of Government Finan- cial Assistance). Over the past several years, significant changes have impacted on the expectations of internal con- trol systems. In 1977, the Foreign Corrupt Practices Act amended the Securities Exchange Act of 1934 to require securities registrants to devise and main- tain systems of internal accounting controls suffi- cient to provide reasonable assurance that transactions are executed, consistently with man- agement’s authorization, transactions are recorded to permit the preparation of financial statements that are in accordance with applicable standards, access to assets is permitted only in accordance with management’s authorization, and recorded accountability for assets is compared with existing assets and appropriate action is taken with respect to any differences. The 1977 act was the result of Page 7 GAO/OP-4.1.4 Chapter 1 Internal Control Requirements numerous revelations that the falsification of records and improper accounting had allowed busi- nesses to make millions of dollars in questionable or illegal payments. There are proposed initiatives being considered which would, if enacted, impact on the require- ments and expectations of internal controls. For example, the Securities and Exchange Commission has proposed that management be required to issue a report on its assessment of whether the internal control system provides reasonable assurance as to the integrity and reliability of financial reporting. Auditors would be required to report any disagree- ments with management’s report identified during the audit of the financial statements. As of August 1990, a proposed change to the Securi- ties Exchange Act of 1934 was being considered which would require both management and audi- tors to address and report on internal controls designed to meet the objectives of the Foreign Cor- rupt Practices Act and protect against illegal acts This guide supercedes GAO’s Guide for Incorpo- rating Internal Control Evaluations Into GAO Work, dated March 1987. f Internal Control The Federal Managers’ Financial Integrity Act of 1982 (FIA) (31 1J.S.C.3512(b)) requires executive Standards agency heads to report annually to the President and the Congress whether agency systems of internal control comply with the act and with the standards prescribed by the Comptroller General. The act states that internal control systems are to reasonably ensure that the following objectives are achieved: . Obligations and costs comply with applicable law. l All assets are safeguarded against waste, loss, unauthorized use, and misappropriation. Page 8 GAO/OP-4.1.4 Chapter 1 Internal Control Requirements 9 Revenues and expenditures applicable to agency operations are recorded and accounted for properly so that accounts and reliable financial and statis- tical reports may be prepared and accountability of the assets may be maintained. The standards prescribed by the Comptroller Gen- eral are set forth in a 1983 publication entitled Standards for Internal Controls in the Federal Government. This publication states that: “The ultimate responsibility for good internal controls rests with management. Internal controls should not be looked upon as separate, specialized systems within an agency. Rather, they should be recognized as an integral part of each system that management uses to regulate and guide its ogera- tions. In this sense, internal controls are management con- trols. Good internal controls are essential to achieving the proper conduct of Government business with full accounta- bility for the resources made available. They also facilitate the achievement of management objectives by serving as checks and balances against undesired actions. In preventing negative consequences from occurring, internal controls help achieve the positive aims of program managers.” The prescribed standards are as follows: General Standards Reasonable assurance: Internal control systems are to provide reasonable assurance that the objectives of the systems will be accomplished. Supportive attitude: Managers and employees are to maintain and demonstrate a positive and supportive attitude toward internal controls at all times. Competent personnel: Managers and employees are to have personal and professional integrity and are to maintain a level of competence that allows them to accomplish their assigned duties, as well as understand the importance of developing and implementing good internal controls. Page 9 GAO,‘OP4. I .4 Chapter 1 Lntemal Control Requirements Control objectives: Internal control objectives are to be identified or developed for each agency activity and are to be logical, applicable, and reasonably complete. Control techniques: Internal control techniques are to be effective and efficient in accomplishing their internal control objectives. Specific Standards Documentation: Internal control systems and all transactions and other significant events are to be clearly documented, and the documentation is to be readily available for examination. Recording of transactions and events: Transactions and other significant events are to be promptly recorded and properly classified. Execution of transactions and events: Transactions and other significant events are to be authorized and executed only by persons acting within the scope of their authority. Separation of duties: Key duties and responsibilities in authorizing, processing, recording, and reviewing transactions should be separated among individuals. Supervision: Qualified and continuous supervision is to be provided to ensure that internal control objectives are achieved. Access to and accountability for resources: Access to resources and records is to be limited to author- ized individuals, and accountability for the custody and use of resources is to be assigned and main- tained. Periodic comparison shall be made of the resources with the recorded accountability to deter- mine whether the two agree. The frequency of the comparison shall be a function of the vulnerability of the asset. Page 10 GAO/OP4.1.4 Chapter 1 Internal Control Requirements Audit Resol.ution Prompt resolution of audit findings. Managers are Standard to (1) promptly evaluate findings and recommenda- tions reported by auditors, (2) determine proper actions in response to audit findings and rccommen- dations, and (3) complete, within established time frames, all actions that correct or otherwise resolve the matters brought to management’s attention. General GAO expects that most audits/evaluations will include an assessment of internal controls. Usually, Requirements t,hese assessments should be performed early during the survey stage of an assignment Assignments that are not audits/evaluations need not comply with the internal control standard (see GPM, p. 4.0-2). but an internal control assessment might enable GAO staff to reduce the extensiveness of work otherwise required to attain objective(s). Initial and final determinations of whether internal control assessments are required must be docu- mented on GAO Form 185. [See PM, p. 4.1-45.) In some assignments, staff might be able to attain the objective(s) without evaluating internal oon- trols. In such circumstances, staff should carefully consider the possible adverse consequences of not assessing internal controls or of the absence of controls. GAO might, for example, conclude that an agency made a certain decision (e.g., to establish a new office location) fairly and impartially, on the basis of reasonable anticipation of costs and benefits. However, if GAO did not assessrelevant internal controls or if there are no applicable controls, there is no assurance that similar decisions by the agency have been or will be properly made. If internal controls are extremely weak or nonexis- tent, to attain the assignment’s objectives may be impossible or an exorbitant investment of staff resources may be required. In such cases, staff Page 11 GAO/OP-4.1.4 Chapter 1 Internal Control Requirements should consider whether alternative objectives would meet the user’s needs. Internal control assessments can help auditors/ evaluators perform assignments more quickly, and do work with greater assurance that objectives are achieved. Such assessments help to . determine when internal controls can be relied on to reduce audit testing, . focus on areas of weakness for emphasis during the assignment, and . identify potential causes of problems or deficiencies to which recommendations for corrective action can be directed. In assessing the extensiveness of needed controls, GAO staff should consider that the cost of controls should not exceed the benefit derived. The action steps undertaken to assesscontrols may simultaneously help attain other objectives, such as resolving the overall assessment objective or assessing compliance with applicable laws and reg- ulations. (See Assessing Compliance With Appli- cable Laws and Regulations, GAO/OP-4.1.2.) Comprehensive There are two basic approaches in evaluating internal controls: the comprehensive and targeted and Targeted approaches. Approaches The comprehensive approach calls for staff to determine the relative risks associated with the entire internal control system of the entity being reviewed and whether adequate controls exist and whether they are working. The comprehensive approach should be used if the primary assignment objective is to make an all- encompassing evaluation of a particular area. For example, GAO might undertake an assignment to evaluate the Postal Service’s controls over second- Page 12 GAO/OP-4.1.4 Chapter 1 Internal Control Requirements class mail, including the eligibility of organizations to use the second-class rates, determining whether appropriate postage was collected, assessing whether processing and delivery of mail were appropriate, and other aspects of second-class mail. The comprehensive approach might also be used if it is anticipated that GAO will be doing extensive work in the entity and detailed knowledge of overall system effectiveness is needed to plan future work. Using the targeted approach, staff would limit the scope of internal control evaluations to fit the assignment’s objective(s). For example, if GAO’s objective is to evaluate eligibility of organizations to use second-class postage rates, the controls related to determining organizations’ eligibility will be assessed, but controls related to other issues, such as determining and collecting postage and processing and delivery, will not be of paramount concern. Defining Clearly defining the assignment objective(s) is a must at the beginning of each audit since it guides Objectives the extensiveness of internal control assessment, as well as the scope and methodology of the audit/ evaluation work. Assignments with broad objec- tives are generally more difficult and require more staff resources and time than do assignments with limited objectives. Therefore, to the extent possible, objective(s) should be defined as precisely as pos- sible to preclude unnecessary work, while concomi- tantly meeting the assignment’s purpose. For example, the following objective might require extensive data gathering based on a random statis- tical sample: “Determine what percentage of program recipients are ineli- gible for benefits.” Page 13 GAO/OP4.1.4 Chapter 1 Internal Control Requirements In contrast, the following objective might be resolved with less extensive statistical sampling: “Determine if the agency consistently uses reasonable con- trols to ensure that only eligible recipients receive benefits.” Assuming that there is a legitimate need to make a determination requiring sampling precision, the results of an internal control assessment can be used to help select the most appropriate and least costly sampling methodology. (For a detailed dis- cussion of sampling techniques, see GAO’s publica- tion entitled Using Statistical Sampling, Transfer Paper 6.) If the assignment is a congressional request, GAO should ensure that there is “a meeting of the minds” as to objectives. The PM contains more details on establishing objectives (ch. 6.1) and working with the Congress (ch. 3.1). In all cases, the objectives, scope, and methodology section of the product should clearly describe the scope of GAO’s work and the assumptions and basis for GAO’s conclusions. Summary of The first step in evaluating internal controls is to determine the risk exposure, which is the likelihood Internal Control of significant misuse of resources; failure to achieve Assessments program objectives; and noncompliance with laws, regulations, and management policies, etc. The next step in the process is to assessinternal control effectiveness. The relationship of risk exposure and internal control effectiveness determines the exten- siveness of audit/evaluation tests as illustrated in table 2.1 below. Page 14 GAO/OP-4.1.4 Chapter 1 internal Control Requirements Table 2.1: Determining Extensiveness of Audit Tests Internal control Extensiveness of Risk exposure + effectiveness = audit tests High Weak High Adequate Moderate to high Strong Low to moderate Moderate Weak Moderate to high Adequate Moderate Strong Low LOW Weak Low to moderate Adequate Low Strong Very low Chapter 2 describes how to assessrisk exposure, and chapter 3 describes how to assessthe effective- ness of internal controls. * f * * * Definitions of key terms used in this guide are con- tained in the glossary. Page 16 GAO/OP=LlA Chapter 2 AssessingRisk Exposure The key steps in determining risk exposure are to . determine significance and sensitivity; . evaluate the susceptibility of failure to attain pro- gram goals, noncompliance with laws and regula- tions, inaccurate reporting, or illegal or inappropriate use of assets or resources; l be alert to any “red flags;” l consider management’s support; and . consider competency of personnel. These key steps are discussed in sequence in this chapter, but in actual practice, these steps might be performed concurrently with other assignment steps. Also, in some circumstances these steps might only require a very brief consideration, or staff may already have sufficient knowledge to reach these assessments. Significance and Significance refers to the importance of items, events, information, matters, or problems. Fre- Sensitivity quently significance can be assessedin terms of dol- lars, In other instances, assessing significance requires a more subjective judgment. For example, the unauthorized use of a government vehicle in a single instance is normally considered of limited sig- nificance, but unsafe operation of a nuclear power plant is of great significance since a failure could be a catastrophe. Sensitivity refers to the likely perception and emo- tional response by others to conditions or circum- stances. Determining sensitivity requires judgment based on the circumstances in each case, but some issues likely to be judged as sensitive include . issues that have received media coverage; . issues that have been the subject of congressional interest and inquiry; l issues of a highly partisan nature; 9 issues involving mistreatment of children or the eld- erly; and Page 16 GAO/OP-4.1.4 Chapter 2 Assessing Risk Exposure l issues involving environmental contamination or pollution. A high degree of risk exposure may be indicated by either the significance or the sensitivity of the sub- ject matter under review, or matters may be both significant and sensitive. For example, a former high-level official used influence to convince an agency to fund construction of certain projects, and for minimal effort, the former official was paid a large fee by the project developers. As reported, these instances of imprudent use of public funds could total hundreds of millions of dollars. Disclo- sures of these instances received a great amount of publicity. Susceptibility After determining significance and sensitivity, staff should next assesssusceptibility. Susceptibility refers to the propensity fur misuse of resources; failure tv achieve program objectives; and noncom- pliance with laws, regulations, and management, policies, etc. An item or an issue of large significance does not necessarily involve great susceptibility. For example, an item of military equipment might have large significance because of its high cost, but it might be so large and heavy or difficult and expen- sive to operate that there is only a low risk of theft or unauthorized use. Staff should formulate questions to assess suscepti- bility, based on the inherent nature of the subject being audited/evaluated, and should maintain an attitude of skepticism. Examples of questions to ask follow. l Does the activity under audit involve liquid assets that are readily marketable (e.g., cash or securities) or could be misappropriated fur personal use (e.g., tools, cars, auto repair parts, or computers)? Page 17 GAO,‘OP-4.1.4 Chapter 2 Assessing Risk Exposure Such assets are very susceptible to improper use or theft. l Do the incentives to make false representations or claims outweigh the penalties? If benefits are based on need, individuals will have an incentive to overstate their need in order to qualify or get a larger benefit. Normally, there should be a penalty or a deterrent to discourage persons from making false or exaggerated claims. l Are the requirements imposed on program partici- pants reasonable, or are they so complicated and cumbersome that failure to comply can be expected? . Does the activity have numerous transactions? The more transactions there are, the greater the chances of errors or irregularities. Also, a large number of transactions increases the difficulty of detecting errors or irregularities. l Have important government activities/programs been contracted out or delegated to persons outside the government without an adequate control system? In 1987, fur example, the Department of Housing and Urban Development reported in its annual FIA report that inadequate property disposition controls provided the potential for closing agents (who were not government employees) to manipulate funds or take funds for their own use. In 1989, a closing agent testified that she had improperly used large amounts of government funds for unauthorized purposes. l Are significant benefits of government programs extended to individuals or corporations by gvvern- ment officials whose actions are generally not sub- ject to public examinations? Page 18 GAO,‘OP-4.1.4 Chapter 2 Assessing Risk Exposure Generally, if actions and/or decisions by govern- ment officials are not subject to public examination or scrutiny, there is a greater opportunity for those officials to take actions or make decisions which are not in the best interests of the government. . Is the program or the activity designated as a high- risk area by GAO or the Office of Management and Budget (OMB)? GAO and OMB have identified high-risk programs and activities vulnerable to fraud, waste, abuse, and mismanagement. GAO’s list of 14 areas includes such items as guaranteed student loans, Department of Defense major systems acquisitions, and manage- ment and disposal of savings and loan assets worth billions of dollars. l Have the agencies’ FIA reports included material internal control weaknesses pertaining to the activity? If the responsible agency determines that a given program or activity has major management or con- trol problems, such information should be consid- ered as prima facie evidence of a high degree of susceptibility. “Red Flags” Staff should be alert for and consider any “red flags,” including 9 a prior history of improper program administration (e.g., agency officials’ convictions of bribery); l a history of material weaknesses described in annual FIA reports or prior audits; l agency officials obtaining financial or other benefits on the basis of decisions made or actions taken in an official capacity; l awarding of grants/contracts by high ranking offi- cials and inadequate review of such transactions; l poorly defined and documented internal control procedures; Page 19 GAO/OP4.1.4 Chapter 2 Assessing Risk Exposure . recognition by agency officials/internal auditors that the agency’s automated systems are anti- quated, poorly designed, and/or fail to meet user needs; lack of, or an ineffective, internal audit function; complex transactions; lack of specific performance measures for the pro- gram/activity, thereby making accountability for results difficult or impossible to measure; . a high default rate on government-backed loans, high asset write-offs, continued losses of sensitive items, poor inventory controls, physical inventories not performed, inadequate reconciliation and reso- lution of major discrepancies, etc.; management inability to correctly establish priorities; activities dominated and controlled by a single person or a small group; a high rate of personnel turnover in key occupa- tions; and unreasonable explanations by auditee. Management Staff should consider whether management recog- nizes the importance of, and has made a commit- support ment to implement, internal controls. Examples of questions to ask follow. l Has management set the right “tone at the top” by clearly stating, in writing, its expectations for integ- rity, honesty, and impartiality? . Has management prescribed behavior standards, including a code of conduct, and conflict of interest regulations? i l Does management support and comply with its written expectations, or is there a prevalent envi- ronment in which management ignores the stan- dards that apply to others? l Is there a strong and competent Inspector General (IG) organization? l Does management promptly respond when control problems are first identified, or have control Page 20 GAO,‘OP-4.1.4 Chapter 2 Assessing Risk Exposure problems been repeatedly disclosed in prior audits/ evaluations by GAO, the IG, or others? l Has management reviewed the subject area during its periodic FIA reviews? If so, was the FIA review reasonably comprehensive? l Is management willing to discuss its approach toward controlling assets and activities‘? l Is management knowledgeable of the subject area and potential problems? Competence of Managers and employees of the entity should have personal and professional integrity and should Personnel maintain a level of competence that allows them to accomplish their duties, as well as understand the importance of developing and implementing good internal controls. Examples of questions to ask follow. 0 Is there a stable management team with continuity and a good reputation? 9 Are employees periodically reminded of their responsibilities under the code of conduct? 9 Are employees’ financial holdings periodically reviewed? l Have technical skill requirements been prescribed? Are they based on appropriate criteria and in accor- dance with normal requirements of the particular occupation? . Is there a sufficient number of employees to accom- plish tasks? 9 Do hiring and staffing decisions include verification of education and experience? l Are employees provided needed formal and on-the- job training? * * * * * After considering the above elements, staff should assess whether overall risk exposure is high, mod- erate, or low. Page 21 GAO/OP-4.1.4 Chapter 2 Assessing Risk Exposure This assessment affects the level of expectations for the strength of and the adherence to internal con- trols, which, in turn, influences the extent of required audit testing. Chapter 3 discusses these issues in greater detail. Page 22 GAO/OP4.1.4 Chapter 3 Assessing Internal control systems After assessing risk exposure, GAO staff should assess the effectiveness of the internal control system. In most cases, internal control assessments are necessary to ensure that GAO’s work will meet assignment objectives and enable GAO’s products to present results in a balanced perspective. Any transaction, event, or award examined by GAO might be atypical. Control assessments give evi- dence whether transactions, events, or awards are likely to be handled in the same manner. Therefore, this tool can help determine whether GAO findings represent prevalent conditions or isolated occurrences. Internal controls include (1) the objective(s), (2) the control procedures used to provide reasonable assurance that goals and objectives are met; resources are adequately safeguarded and effi- ciently used; reliable data are obtained, maintained, and fairly disclosed in reports; and laws and regula- tions are complied with, (3) the accounting system, and (4) management’s monitoring system. The key steps in assessing internal controls are to l identify and understand relevant internal control(s), l determine what is already known about control effectiveness, l assess adequacy of control design, 9 determine if controls are properly implemented, and l determine if transactions are properly documented. The objective of determining the effectiveness of controls is to determine the extent to which they can be relied on and thereby reduce the extent of audit/evaluation testing. This relationship of risk exposure and effectiveness of internal controls is illustrated by table 2.1 on page 15. Obviously, the greater reliance one places on internal controls, the less testing may be required, thus showing a direct payoff for this assessment effort, Page 23 GAO/OP4.1.4 Chapter 3 Assessing Internal Control Systems Identifying Internal controls consist of the control objective(s), control procedures, the accounting system, and Controls management’s monitoring system. Control objectives are the positive effects that man- agement tries to attain or an adverse condition/neg- ative effect that management is seeking to avoid. Control procedures are the specific steps estab- lished by management to provide reasonable assur- ance that control objectives are achieved. Accounting system includes the methods and the records used to identify, assemble, analyze, classify, record, and report transactions and maintain accountability for assets, liabilities, revenues, and expenses. Monitoring system includes management’s methods for following up and checking on performance to ensure that control and accounting procedures are complied with. It includes internal auditing func- tions and systems for following-up on needed cor- rective actions. Judgment must be used to identify and understand controls related to the assignment’s objective(s). For example, if the objective is to determine whether an agency properly awards grants, the staff should focus on control procedures relating to evaluating and approving grant applications and on accounting system controls to ensure that sufficient funds are available for award and that excessive grants (indi- vidually or in total) are not made. Controls relating to recipient use of grant funds, although very important to the overall program, are not directly related to the objective and thus need not be reviewed. Known Control After identifying and understanding the controls relevant to the assignment’s objective(s), staff Effectiveness should consider what, if anything, is already known Page 24 GAO/OP4.1.4 Chapter 3 Assessing Internal Control Systems about control effectiveness. GAO or other audit/ evaluation organizations may have recently com- pleted audits/evaluations that included assessments of internal controls. If GAO has recently completed such an assessment, consideration should be given to how recent the assessment was and whether assessment results need to be updated with limited inquiries and tests. If an assessment was recently made by another audit/evaluation organization, staff should consider how recent and thorough the assessment was, as well as the organization’s reputation, qualifications, and independence. A determination should then be made whether to rely on the results, or do addi- tional tests. (See the Yellow Rook, p. 3-14). If prior control assessments by GAO or others are considered to be sufficiently recent and thorough, staff need not further assessinternal control design and implementation. Assessing Control Considering the information developed during the assessment of risk exposure and on the basis of Design skepticism, GAO staff should project what is most likely to be wrong (misuse of resources, failure to attain program objectives, etc.). Then, the internal controls should be examined to determine if they are logical, reasonably complete and are likely to deter or detect possible misuse, failure, or errors. Assume, for example, that GAO is assessing whether an agency properly awards grants. Also assume the assessment of risk exposure indicates that the agency may be making grants even though some recipients are not complying with require- ments to (1) have approved affirmative action plans, (2) fully account for prior grants, and (3) prepare and obtain approval of environmental impact statements relating to any proposed capital improvement projects. Under these circumstances, Page 25 GAO,‘OP-4.1.4 Chapter 3 Assessing Internal Control Systems staff should determine what, if any, controls are in place to ensure that applicants meet these criteria. For example, staff could determine whether affirm- ative action plans were in place, and whether the granting agency confirmed that such affirmative action plans for applicants were approved. If not, such an omission would represent a weakness that should be pursued through subsequent tests to determine if, in fact, grants are being made to appli- cants that did not have approved affirmative action plans. Controls should provide reasonable, but not abso- lute, assurance of deterring or detecting misuse of resources, failure to achieve program objectives, noncompliance with laws, regulations, and manage- ment policies, etc. In assessing the extensiveness of needed controls, GAO staff should consider the rea- sonableness of the controls in relation to the bene- fits to be gained. Are Controls Even though internal controls may be logical and well-designed and may seemingly be strong, system Implemented? effectiveness may be impaired if control procedures are not correctly and consistently used. For example, if an entity requires the manager’s approval for all purchases over $25,000 but the manager does not, in fact, review the purchase orders, this requirement will not effectively prevent or detect unnecessary purchases. Thus, the extent that control procedures are adhered to should be determined. Control procedures may not be complied with because management may override them; employees may secretly be working together (collu- sion) to avoid using or circumvent them; and employees may not be correctly applying them due to fatigue, boredom, inattention, lack of knowledge, or misunderstanding. Page 26 GAO/OP4.1.4 Chapter 3 Assessing Internal Control Systems Sufficient testing should be conducted to afford a reasonable basis for determining whether the con- trols are being consistently applied. All transactions and events should be clearly docu- Proper mented, and documentation should be readily avail- Transaction able for examination. Examples of questions to ask Documentation follow. Are internal control objectives and procedures for- l malized in writing‘? l Have policies and procedures been systematically documented, including policies and procedures manuals or guides, personnel manuals, organization charts, flow charts, or other written descriptions? 9 Are all transactions and events adequately docu- mented, and is documentation readily available for examination‘? l Are FIA assessments thoroughly documented? Does documentation show personnel involved in making the assessments, evaluation methods used, key fac- tors considered, tests performed, and conclusions reached? Is other required documentation, for example, current internal control directives and management control plans, prepared and available? l Is budget justification data available, and is it con- sistent with other accounting and budgetary data? ***+* Detailed tests should be designed considering objec- tive(s), risk exposure, and control strengths and weaknesses. For example, assume that an assignment’s objective is to determine whether an agency properly awards grants and GAO determines that (1) the controls over determining applicants’ eligibility are strong but (2) the controls over accounting for grant funds are weak. Page 27 GAO/OP-4.1.4 Chapter 3 Assessing Internal Control Systems In this case, tests for eligibility determination should be restricted and might include taking a small judgmental sample of approved and rejected applications and independently confirming key information relating to eligibility. Conversely, tests over accounting for grant funds should be more extensive. Tests might include confirming that (1) all grantees actually received the funds to which they were entitled, (2) funds were advanced to grantees in accordance with regulations, (3) the granting agency did not exceed amounts approved by OMB, (4) any funds impounded by OMB or the granting agency were reported as required by law, and (5) accounting and budget records accurately reflected actual transactions and balances. Chapter 5 contains a case study illustrating how risk exposure and internal control effectiveness affect the extent of audit/evaluation tests. Determining In its audits/evaluations, GAO frequently uses data Reliability of that was processed by computer. Generally accepted government auditing standards, in the Computer-Processed Yellow Book, require that when computer- Data processed data are an important part of the audit and the data’s reliability is crucial to assignment objectives, the data’s relevance and reliability be established. Special concepts and techniques are necessary to determine reliability of computer-processed data. GAO has prepared a guide, entitled Assessing the Reliability of Computer-Processed Data (GAO/OP- 8.1.3) that explains how to do this. Page 28 GAO/OP4.1.4 Chapter 4 Reporting on Internal Control Assessments This chapter discusses the generally accepted gov- ernment auditing standards requirement for reporting results of internal control assessments. It also gives illustrative language to use when staff determine that controls can or cannot be relied on, or when control effectiveness was not assessed. Government For performance audits, the government auditing standards provide that: Auditing Standards The report should identify the significant internal controls that were assessed, the scope of the auditor’s assessment work, and any signif- icant weaknesses found during the audit. Reporting on internal controls will vary depending on the significance of any weaknesses found and the relationship of those weaknesses to the audit objectives. Where the sole objective is to audit the internal con- trols, weaknesses found of significance to warrant reporting would be considered deficiencies and be so identified in the assignment product. The internal controls that were assessed would be iden- tified for full presentation of the findings. In performance audits, significant weaknesses in internal controls may be identified as a key source of deficient performance. In reporting such find- ings, the controls would be identified and the weak- nesses would be described as the “cause.” Any internal control weaknesses not included in the principal assignment product because of insignifi- cance, should be separately communicated to man- agement, preferably in writing. The principal product should make reference to control weak- nesses being separately communicated to management. Page 29 GAO/OP-4.1.4 Chapter 4 Reporting on Internal Control Assessments internal control weaknesses, the weaknesses should Assessment be discussed in the product and linked, as specifi- cally as possible, to GAO’s Standards for Internal Controls in the Federal Government. Significant internal control weaknesses identified in GAO’s work typically are presented as causes of problems or deficiencies and should be accompanied by rec- ommendations for corrective action. If significant control weaknesses are identified, the product also should disclose whether they were included in the agency’s reporting under FIA. If the weakness is significant and has not been reported under FIA, GAO should recommend that it be reported. Reporting on If GAO’s assessments shows that controls are effec- Reliable Controls tive and can be relied on, a GAO product might state: “We reviewed the agency’s internal controls relating to [describe controls]. Our tests showed that the agency’s con- trols were logically designed and consistently applied. There fore, we limited our tests to [describe tests performed].” Reporting on GAO’s control assessment may show that controls Unreliable Controls cannot be relied on. In these cases, a GAO product might state: “We reviewed the agency’s controls relating to [describe con- trols]. Our assessment showed that the controls were not properly designed and/or implemented, therefore we could not rely on them in designing our audit approach. However we conducted more extensive testing to achieve our objective of [describe objective].” The report should clearly state what alternate steps and additional tests were done to ensure that the transactions were properly handled and recorded. When internal controls are unreliable, caution must be used in relying on extended audit tests to achieve assignment objectives. In some cases, achievement Page 30 GAO/OP-4.1.4 Chapter 4 Reporting on Internal Control Assessments of objectives would require such extensive testing that the costs of doing the work would be prohibi- tive or impractical. In such cases, staff should con- sider alternatives including redefining assignment objectives, and/or reporting that objectives could not be met because of the poor controls and the high cost of alternative test procedures. Reporting on When controls are important to issues addressed in Unassessed Controls a product but were not reviewed, the product must be qualified. For example: “We did not review internal controls relating to the [describe controls] because [cite reason]. Except as noted above, our work was conducted in accordance with generally accepted government auditing standards.” If such a nonconformity statement is necessary, the position must be discussed with the Assistant Comptroller General for Planning and Reporting before final processing. Page 31 GAO/OP-4.1.4 Chapter 5 CaseStudy: Guasanteed Student Lmns Using a hypothetical case, this chapter illustrates how to assess internal controls and how assessment results influence the extent of audit/evaluation testing. It describes background and the case study objective, and it illustrates how to determine the extent of testing required. This case study illustrates how to apply the con- cepts discussed in earlier chapters, but in actual practice staff would resolve issues and perform these steps concurrently. Some issues would require only brief consideration, and others may have already been resolved by prior GAO efforts, or knowledge of the issues/environment. Background Under the Stafford Student Loan Program, private lenders make loans at low interest rates to qualified students attending approved educational institu- tions. The Department of Education pays the interest while the loan recipient attends school and for a stipulated time thereafter (the grace period). Education also funds special allowance payments during the life of the loan to provide lenders the dif- ference between the loan interest rate and the rate on go-day Treasury bills, plus 3-l/4 percent. If bor- rowers default on their loans, the intermediaries (usually state agencies) pay the lenders; Education stops paying interest and special allowances; and the intermediaries are, in turn, reimbursed up to 100 percent by Education. Case Study For the purposes of this case study, assume that the assignment objective is as follows: Objective Determine if Education is paying substantial amounts of interest and special allowance (interest subsidy) to lenders for ineligible students under the Stafford Student Loan Program or if incorrect amounts are being paid on behalf of eligible students. Page 32 GAO/OP4.I.4 Chapter 6 Case Study: Guaranteed Student Loans Risk Exposure In determining risk exposure, consideration should be given to: (1) significance and sensitivity; (2) the susceptibility of making incorrect interest and spe- cial allowance payments; (3) the existence of any “red flags;” (4) indications of whether management supports strong internal controls; and (5) the exis- tence of sufficient, competent personnel to ade- quately administer the controls. Significance and Determining the significance and sensitivity of stu- Sensitivity dent loans involves resolving questions such as the following: l What is the amount of funds involved? l Is it increasing or decreasing? l Is the program likely to continue, or is it likely to be curtailed or eliminated? 9 Is there much congressional interest in student loans‘? Is there much publicity in the media? Susceptibility In assessing susceptibility to incorrect interest and special allowance payments staff should ask ques- tions such aasthe following: . Do students have an incentive to withhold informa- tion and/or provide inaccurate information to lenders, schools, intermediaries, and/or Education that would cause interest and special allowance overpayments? l Is there a lack of incentives for lenders, schools, and intermediaries to carefully fulfill their program responsibilities? Are the penalties for doing a poor job insignificant or nonexistent? l Is there a practical penalty to discourage students (or others) from making false claims? Are penalties appropriately used? l Are the administrative and paperwork require- ments imposed on students, intermediaries, lenders, schools, and others understandable and feasible to meet’? Page 33 GAO,‘OP4.1.4 Chapter 5 Case Study: Guaranteed Student Loans + Have there been frequent changes in laws and regulations‘? l Are there many transactions? 9 Are there many program participants (borrowers, lenders, schools, and intermediaries)‘? l Are significant program aspects (e.g., approving eli- gibility for loans and determining loan amounts) administered or determined by those not under Education’s direct control (e.g., employees of lenders, schools, and intermediaries)? . Have student loans been designated as a high-risk area by GAO or OMB? . Is program management highly decentralized? Are significant loan decisions (e.g., loan approval and certification of schools for program participation) made by many persons at widely scattered loca- tions? (Too much decentralization without adequate monitoring and control may increase the risk of erroneous decisions.) “Red Flags” Staff should be alert for and consider any “red flags” or indicators of weakness. These might include a high rate or an increasing rate of loan defaults, inadequate records to support lenders’ interest and special allowance billings, prosecution and/or conviction of persons for fraud- ulently obtaining student loans, and allegations or indications that some schools were not providing quality instruction but were running “diploma mills” to swindle students and the government. Management Staff should also consider management’s support of support internal controls. Questions to ask include: . Has management at the Department of Education and at the intermediary, school, and lender levels prescribed and adhered to a code of conduct and/or conflict-of-interest regulations’? Page 34 GAO/OP4.1.4 Chapter 6 Case Study: Guaranteed Student Loans . Have past efforts by GAO and other audit/evalua- tion groups identified significant erroneous pay- ments of interest and special allowances? If so, has Education management promptly implemented cor- rective action‘? . Has the program been reviewed during Education’s periodic FIA reviews? Was prompt management action taken when needed? 9 Is Education management knowledgeable about the program and actual or potential problems? l Is Education management willing to discuss various aspects of the program cooperatively? Competence of Finally, in assessing inherent risk, staff should con- Personnel sider the competence of personnel to adequately and consistently administer the loan program. Ques- tions to ask include: l Do lenders, schools, and/or intermediaries have dif- ficulty maintaining a staff with adequate technical knowledge to ensure accurate and consistent pro- gram administration? . Has Education prescribed any academic, experi- ence, and/or ethical standards for employees of the intermediaries, lenders, or schools to ensure their competence and integrity‘? l Are employees of Education, intermediaries, lenders, and schools periodically reminded of their responsibilities under the code of conduct? * * * * * On the basis of the information obtained in response to these questions, staff should be able to determine whether risk exposure is high, moderate, or low. Page 36 GAO/OP4.1.4 Chapter 5 Case Study: Guaranteed Student Loam After determining the degree of risk exposure, staff Assessing Control should assess internal control effectiveness by Effectiveness . identifying and understanding controls, l determining what is already known about control effectiveness, l assessing adequacy of control design, l determining if controls are properly implemented, and l determining if transactions are properly documented. Identifying Controls Staff should use judgment in identifying and under- standing controls. They should try to identify important control features related to assignment objective(s), and exclude from consideration fea- tures not related to assignment objectives In this case study, GAO should consider internal controls relating to such matters as the following: l the mathematical accuracy of lenders’ billings; l lenders’ verifications with educational institutions that borrowers are active students (if borrowers are no longer active students or are not in the grace period, they must begin loan repayment); . verifying that students are attending schools that have been approved by Education; and l verifying that students met financial and other eli- gibility requirements. Conversely, GAO staff should probably exclude from consideration internal controls not directly related to the assignment objective, such as l the adequacy of Education’s review and approval of lenders for program participation, l intermediaries’ efforts to recover amounts owed on defaulted loans and l lending institutions’ compliance with nondiscrimi- natory employment requirements. Page 36 GAO,‘OP-4.1.4 Chapter 6 Case Study: Guaranteed Student Loans Known Control After identifying controls related to assignment Effectiveness objectives, staff should consider what is already known about the effectiveness of the controls. Such knowledge may be based on GAO prior work (sup- plemented by limited inquiries and tests, if needed, to ensure GAO’s knowledge is up-to-date) or on work by other audit/evaluation organizations. If the work was done by other organizations, GAO staff should make inquiries and perform tests to deter- mine its acceptability and reliability. (See the Yellow Book, p. 3-14). What is already known about control effectiveness influences additional work required. If, for example, prior GAO work shows that Education has strong controls to ensure the mathematical accu- racy of lenders’ billings, further analysis of the con- trols is not necessary. Similarly, if a recent IG audit shows that Education did not have adequate controls to ensure that stu- dents received grades satisfactory to stay eligible and if GAO inquiries establish the acceptability and the reliability of the IG’s work, further GAO anal- ysis of Education’s controls over this subject are not necessary. Staff could then design the implementa- tion audit/evaluation tests on the basis that those controls are weak. Assessing Control The next step is to anticipate the events or transac- Design tions that are most likely to negatively affect assignment objectives. Then staff should assess whether the controls are adequate and reasonable to prevent or detect the negative events or transac- tions, assuming that the controls are faithfully implemented. For example, staff may have developed concerns about whether recipients were obtaining loans through two or more state agencies and thereby receiving loans exceeding the maximum allowable amount. To detect this negative condition (if it Page 37 GAO/OP4.1.4 Chapter 5 Case Study: Guaranteed Student Loans exists), Education could use a computer to match names, addresses, and/or identification numbers of recipients in different states and follow up to resolve any apparent “matches.” Some additional negative events or transactions that might be anticipated or projected include the following: l Applicants may be misrepresenting their financial or other circumstances to qualify for loans. l Even though they may meet eligibility require- ments, applicants may be misreporting circum- stances to obtain larger loan amounts than they are entitled to. 9 Lenders may be incorrectly computing the amounts of interest subsidies. (This is a complex computa- tion for each loan. Correct interest subsidy depends on the difference in the loan rate and the Treasury interest rate; these rates vary according to when the loans were made.) 9 Special allowance payments may be excessive because lenders are not promptly determining when borrowers have completed school or dropped out. (Normally, when students graduate or drop out, they are required to begin loan repayment, after expiration of the grace period, and Education’s pay- ment of special allowances is reduced). 9 Duplicate interest and special allowance payments might be paid because the original lender might have “sold” a loan to another financial institution and both institutions may be claiming the interest and special allowance on that loan. In each of these anticipated conditions, staff should examine the design of internal controls to determine if the negative condition would be deterred or detected. Page 38 GAO,‘OP-4.1.4 Chapter 5 Case Study: Guaranteed Student Loam Are Internal Internal controls are not effective unless they are Controls correctly and consistently applied. Therefore, in addition to assessing the adequacy of control Implemented? design, GAO staff should confirm that the controls have been correctly applied. For example, if Education makes a periodic com- puter comparison to detect any multiple loans to single recipients, GAO staff might examine the results of the comparison and determine what action was taken to resolve apparent duplicate loans. The extent of GAO’s examination would depend on circumstances such as the suspected severity of the problem, its apparent monetary sig- nificance, the possibility of recovering any exces- sive loan amounts with interest and special allowances, and any indications of congressional and/or public interest. Are Transactions Finally, in assessing internal control effectiveness, Properly staff should consider the adequacy of documenta- tion. Questions to ask include: Documented? l Has Education prescribed written internal control objectives and procedures for its staff, as well as for the staffs of other organizations participating in program administration? 9 Do lenders maintain complete loan files on active loans, fully documenting all transactions and information? . Do lenders submit required documentation with quarterly billings for interest and special allowances? l Do intermediaries maintain complete files on defaulted loans, documenting such information as borrowers’ current addresses and dates of contacts made to attempt collection? Page 39 GAO/OP-4.1.4 Chapter 6 Case Study: Guaranteed Student Loam Designing Audit/ As indicated by table 2.1 (see p. 15), the extent of audit/evaluation tests is determined by the ade- Evaluation Tests quacy of internal controls and the risk exposure of the issue. Table 2.1 depicts the principles involved in determining the extent of testing but in practice, this determination is a complex one, requiring judgment. Moreover, on some assignments, multiple determi- nations may be needed. For example, the controls relating to one audit objective may be strong, whereas the controls related to another audit objec- tive may be weak; the extent of testing would depend on the circumstances. The following discussions illustrate how testing would be performed under risk exposure and internal control conditions that require high, mod- erate, and low testing. High Level of Assuming that extensive tests are required, they Testing could include the following: . Select a sample of lenders’ billings that will provide a reasonable basis for determining if substantial excessive interest and special allowance payments are being made. . Verify that the students met financial and other eli- gibility requirements by examining documents such as loan applications and confirmation of tuition and other relevant costs and applicants’ income and assets. 9 Verify that the loans were approved by intermediaries for insurance under the program. 9 Verify that Education approved schools for participation. l Determine if the correct rate was used to compute interest. l Determine if interest was calculated correctly. l Determine if borrowers were active students (or were in the grace period) to verify that Education was liable for the interest. Page 40 GAO/OP-4.1.4 Chapter 6 Case Study: Guaranteed Student Loans l Recompute loan balances to verify that lenders cor- rectly computed them. l Verify that lenders had the loans in their portfolios for the billing periods in question. (Lenders often sell loans to other institutions in what is commonly referred to as the secondary market.) Staff should also devise detailed tasks necessary to perform each of these tests. For example, in deter- mining whether borrowers were active students or were in the grace period (thus making Education liable for loan interest payments), specific tasks could include the following: l Check lenders’ individual loan files to determine if they inquired whether borrowers were active students. l If schools responded to lender inquiries, note dates of student attendance and credit hours taken. l Compare dates of attendance with the periods cov- ered by the lenders’ interest billings paid by Educa- tion to see if they correspond. l If lenders’ files do not contain needed information, contact schools and request dates of student attendance. The above tests and tasks illustrate the steps that might be taken in the example. In practice, the work to be done must be adapted to the needs of each assignment, including time and cost considerations. Moderate Level of If GAO’s assessment of risk exposure and internal Testing control effectiveness indicates that a moderate degree of audit testing is needed to satisfy assign- ment objectives, the types of issues tested would be similar to, but less comprehensive than the testing described in the high level of testing discussed above. The focus of the audit/evaluation tests would depend on the specific information developed during the assessment of risk exposure and control Page 41 GAO/OP-4.1.4 Chapter 6 Case Study: Guaranteed Student Loans effectiveness. For example, assume that an IG audit established that internal controls were strong, and GAO inquiries have determined that the IG audit . was comprehensive, examining interest and special allowance payments made to a representative sample of lenders over a wide geographical area; . was carefully planned and supervised, was based on a logical methodology, and included an evalua- tion of internal controls; and l identified some overpayments and underpayments and made recommendations for improvement, which Education management agreed to implement. However, for this illustration, assume that the IG audit did not verify that (1) Education had approved the schools for participation and (2) lenders had the loans in their portfolios. IJnder these circumstances, GAO’s audit tests might include the following: l Make supplemental tests of a small sample of trans- actions examined by the IG or similar transactions. Make t.he sample selection by judgmentally deter- mining the sample size, and randomly selecting transactions. l Determine if the promised corrective actions had been taken. l Select a sample of lenders’ billings and determine whether (1) t.hc schools were on Education’s approved list and (2) lenders had the loans in their portfolios. Staff are expected to design detailed tasks to per- form these tests. For example, to determine if lenders had the loans in their portfolios, the fol- lowing tasks might be performed: l Obtain a computer printout showing borrowers’ identification numbers at lenders selected for examination. Page 4 2 GAO/OP4.1.4 Chapter 5 Case Study: Guaranteed Student Loans . Select a statistical sample from the printout and examine lender documentation to confirm that loans were in their portfolios. Low Level of Testing This case does not lend itself well to a low level of testing because risk exposure is so high. But assume that GAO’s assessment has confirmed that strong controls are being consistently applied to prevent or detect negative conditions that might reasonably exist and are related to payment of interest and special allowances. Assume further that a manage- ment study group has recently completed a thor- ough examination of interest and special allowance payments and GAO’s inquiries confirmed that the group’s work was comprehensive, both in scope and content, and appropriate tests show that the work was reliable. (See the Yellow Book, p. 3-14.) Under these circumstances, further audit/evalua- tion tests might be limited to the following: l Follow-up on prior recommendations to assure proper implementation and desired results. Check whether any other audit/evaluation efforts have been performed. 9 Update any procedural or system changes since the last audit/evaluation. l Ascertain if key personnel changes have been made in areas covered by the audit. l Select a small sample of lender’s billings and deter- mine if (1) Education’s records show that borrowers were eligible and (2) valid interest rates were used and mathematical calculations are correct. Make a sample selection by judgmentally determining the sample size, and randomly making the selection of billings. Page 43 GAO/OP4.1.4 Glossary Accounting System The methods and the records established to iden- tify, assemble, analyze, classify, record, and report an organization’s transactions and to maintain accountability for assets, liabilities, revenues, and expenses. Control Objective The positive effect that management tries to attain or an adverse condition/negative effect that man- agement seeks to avoid. Control Procedures The specific steps that management has established to provide reasonable assurance that control objec- tives will be achieved. Internal Controls The (1) objectives, (2) control procedures used to provide reasonable assurance that goals and objec- tives are met; resources are adequately safeguarded and efficiently used; reliable data are obtained, maintained, and fairly disclosed in reports; and laws and regulations are complied with, (3) accounting system, and (4) management’s moni- toring system. Monitoring System Management’s methods for following up and checking on performance to ensure that control and accounting procedures are complied with. It includes internal auditing functions and systems for following up on needed corrective actions. Risk Exposure The overall assessment of probability that the sub- ject matter or the objective of the audit/evaluation will have experienced significant misuse of resources; failure to achieve program objectives; noncompliance with laws, regulations, and manage- ment policies, etc. Page 44 GAO,‘OP-4.1.4 Glossary Sensitivity The likely perception and emotional response by others to conditions or circumstances. Significance The importance of items, events, information, mat- ters, or problems. Page 46 GAO/OP4.1.4
Assessing Internal Controls in Performance Audits
Published by the Government Accountability Office on 1990-09-01.
Below is a raw (and likely hideous) rendition of the original report. (PDF)