OANC_GrAF / data / written_2 / technical / government / Gen_Account_Office / InternalControl_ai00021p.txt
29548 views1234November 19995Standards for Internal Control in the Federal Government678GAO/AIMD-00-21.3.191011Foreword12Federal policymakers and program managers are continually13seeking ways to better achieve agencies' missions and program14results, in other words, they are seeking ways to improve15accountability. A key factor in helping achieve such outcomes and16minimize operational problems is to implement appropriate internal17control. Effective internal control also helps in managing change18to cope with shifting environments and evolving demands and19priorities. As programs change and as agencies strive to improve20operational processes and implement new technological developments,21management must continually assess and evaluate its internal22control to assure that the control activities being used are23effective and updated when necessary.24The Federal Managers' Financial Integrity Act of 1982 (FMFIA)25requires the General Accounting Office (GAO) to issue standards for26internal control in government. The standards provide the overall27framework for establishing and maintaining internal control and for28identifying and addressing major performance and management29challenges and areas at greatest risk of fraud, waste, abuse, and30mismanagement. Office of Management and Budget (OMB) Circular31A-123, Management Accountability and Control, revised32June 21, 1995, provides the specific requirements for assessing33and reporting on controls. The term internal control in this34document is synonymous with the term management control (as used in35OMB Circular A-123) that covers all aspects of an agency's36operations (programmatic, financial, and compliance).37Recently, other laws have prompted renewed focus on internal38control. The Government Performance and Results Act of 199339requires agencies to clarify their missions, set strategic and40annual performance goals, and measure and report on performance4142Page 1 GAO/AIMD-00-21.3.1 (11/99)43toward those goals. Internal control plays a significant role in44helping managers achieve those goals. Also, the Chief Financial45Officers Act of 1990 calls for financial management systems to46comply with internal control standards, and the Federal Financial47Management Improvement Act of 1996 identifies internal control as48an integral part of improving financial management systems.49Rapid advances in information technology have highlighted the50need for updated internal control guidance related to modern51computer systems. The management of human capital has gained52recognition as a significant part of internal control. Furthermore,53the private sector has updated its internal control guidance with54the issuance of Internal Control - Integrated Framework, published55by the Committee of Sponsoring Organizations of the Treadway56Commission (COSO). Consequently, we have developed this standards57update which supersedes our previously issued "Standards for58Internal Controls in the Federal Government."59This update gives greater recognition to the increasing use of60information technology to carry out critical government operations,61recognizes the importance of human capital, and incorporates, as62appropriate, the relevant updated internal control guidance63developed in the private sector. The standards are effective64beginning with fiscal year 2000 and the Federal Managers Financial65Integrity Act reports covering that year.66We appreciate the efforts of government officials, public67accounting professionals, and other members of the financial68community and academia who provided valuable assistance in69developing these standards.7071David M. Walker Comptroller General of the United States72737475Introduction7677Definition and Objectives78The following definition, objectives, and fundamental concepts79provide the foundation for the internal control standards.8081Internal control is a major part of managing an organization. It82comprises the plans, methods, and procedures used to meet missions,83goals, and objectives and, in doing so, supports performance-based84management. Internal control also serves as the first line of85defense in safeguarding assets and preventing and detecting errors86and fraud. In short, internal control, which is synonymous with87management control, helps government program managers achieve88desired results through effective stewardship of public89resources.90Internal control should provide reasonable assurance that the91objectives of the agency are being achieved in the following92categories:939495•96Effectiveness and efficiency of operations including the97use of the entity's resources.9899100•101Reliability of financial reporting, including reports on102budget execution, financial statements, and other reports for103internal and external use.104105106•107Compliance with applicable laws and108regulations.109110111A subset of these objectives is the safeguarding of assets.112Internal control should be designed to provide reasonable assurance113regarding prevention of or prompt detection of unauthorized114acquisition, use, or disposition of an agency's assets.115116117Fundamental Concepts118119The fundamental concepts provide the underlying framework for120designing and applying the standards.121Internal Control Is a Continuous Built-in Component of122Operations123Internal control is not one event, but a series of actions and124activities that occur throughout an entity's operations and on an125ongoing basis. Internal control should be recognized as an integral126part of each system that management uses to regulate and guide its127operations rather than as a separate system within an agency. In128this sense, internal control is management control that is built129into the entity as a130Page 5 GAO/AIMD-00-21.3.1 (11/99)131Internal Control Is Effected by People132part of its infrastructure to help managers run the entity and133achieve their aims on an ongoing basis.134People are what make internal control work. The responsibility135for good internal control rests with all managers. Management sets136the objectives, puts the control mechanisms and activities in137place, and monitors and evaluates the control. However, all138personnel in the organization play important roles in making it139happen.140Internal Control Provides Reasonable Assurance, Not Absolute141Assurance142Management should design and implement internal control based on143the related cost and benefits. No matter how well designed and144operated, internal control cannot provide absolute assurance that145all agency objectives will be met. Factors outside the control or146influence of management can affect the entity's ability to achieve147all of its goals. For example, human mistakes, judgment errors, and148acts of collusion to circumvent control can affect meeting agency149objectives. Therefore, once in place, internal control provides150reasonable, not absolute, assurance of meeting agency151objectives.152153154155Internal Control Standards156157Presentation of the Standards158159These standards define the minimum level of quality acceptable160for internal control in government and provide the basis against161which internal control is to be evaluated. These standards apply to162all aspects of an agency's operations: programmatic, financial, and163compliance. However, they are not intended to limit or interfere164with duly granted authority related to developing legislation,165rule-making, or other discretionary policy-making in an agency.166167These standards provide a general framework. In implementing these168standards, management is responsible for developing the detailed169policies, procedures, and practices to fit their agency's170operations and to ensure that they are built into and an integral171part of operations.172In the following material, each of these standards is presented173in a short, concise statement. Additional information is provided174to help managers incorporate the standards into their daily175operations.176177178Control Environment179180A positive control environment is the foundation for all other181standards. It provides discipline and structure as well as the182climate which influences the quality of internal control. Several183key factors affect the control environment.184One factor is the integrity and ethical values maintained and185demonstrated by management and staff. Agency management plays a key186role in providing leadership in this area, especially in setting187and maintaining the organization's ethical tone, providing guidance188for proper behavior, removing temptations for unethical behavior,189and providing discipline when appropriate.190Another factor is management's commitment to competence. All191personnel need to possess and maintain a level of competence that192allows them to accomplish their assigned duties, as well as193understand the importance of developing and implementing good194internal control. Management needs to identify appropriate195knowledge and skills needed for various jobs and provide needed196training, as well as candid and constructive counseling, and197performance appraisals.198Page 8 GAO/AIMD-00-21.3.1 (11/99)199Management's philosophy and operating style also affect the200environment. This factor determines the degree of risk the agency201is willing to take and management's philosophy towards202performance-based management. Further, the attitude and philosophy203of management toward information systems, accounting, personnel204functions, monitoring, and audits and evaluations can have a205profound effect on internal control.206Another factor affecting the environment is the agency's207organizational structure. It provides management's framework for208planning, directing, and controlling operations to achieve agency209objectives. A good internal control environment requires that the210agency's organizational structure clearly define key areas of211authority and responsibility and establish appropriate lines of212reporting.213The environment is also affected by the manner in which the214agency delegates authority and responsibility throughout the215organization. This delegation covers authority and responsibility216for operating activities, reporting relationships, and217authorization protocols.218Good human capital policies and practices are another critical219environmental factor. This includes establishing appropriate220practices for hiring, orienting, training, evaluating, counseling,221promoting, compensating, and disciplining personnel. It also222includes providing a proper amount of supervision.223A final factor affecting the environment is the agency's224relationship with the Congress and central oversight agencies such225as OMB. Congress mandates the programs that agencies undertake and226monitors their progress and central agencies provide policy and227guidance on many different matters. In addition,228Page 9 GAO/AIMD-00-21.3.1 (11/99)229230231Risk Assessment232Inspectors General and internal senior management councils can233contribute to a good overall control environment.234235A precondition to risk assessment is the establishment of clear,236consistent agency objectives. Risk assessment is the identification237and analysis of relevant risks associated with achieving the238objectives, such as those defined in strategic and annual239performance plans developed under the Government Performance and240Results Act, and forming a basis for determining how risks should241be managed.242Management needs to comprehensively identify risks and should243consider all significant interactions between the entity and other244parties as well as internal factors at both the entitywide and245activity level. Risk identification methods may include qualitative246and quantitative ranking activities, management conferences,247forecasting and strategic planning, and consideration of findings248from audits and other assessments.249Once risks have been identified, they should be analyzed for250their possible effect. Risk analysis generally includes estimating251the risk's significance, assessing the likelihood of its252occurrence, and253Page 10 GAO/AIMD-00-21.3.1 (11/99)254255256Control Activities257deciding how to manage the risk and what actions should be258taken. The specific risk analysis methodology used can vary by259agency because of differences in agencies' missions and the260difficulty in qualitatively and quantitatively assigning risk261levels.262Because governmental, economic, industry, regulatory, and263operating conditions continually change, mechanisms should be264provided to identify and deal with any special risks prompted by265such changes.266267Control activities are the policies, procedures, techniques, and268mechanisms that enforce management's directives, such as the269process of adhering to requirements for budget development and270execution. They help ensure that actions are taken to address271risks. Control activities are an integral part of an entity's272planning, implementing, reviewing, and accountability for273stewardship of government resources and achieving effective274results.275Control activities occur at all levels and functions of the276entity. They include a wide range of diverse activities such as277approvals, authorizations, verifications, reconciliations,278performance reviews,279Page 11 GAO/AIMD-00-21.3.1 (11/99)280Examples of Control Activities281maintenance of security, and the creation and maintenance of282related records which provide evidence of execution of these283activities as well as appropriate documentation. Control activities284may be applied in a computerized information system environment or285through manual processes.286Activities may be classified by specific control objectives,287such as ensuring completeness and accuracy of information288processing.289290There are certain categories of control activities that are291common to all agencies. Examples include the following:292Page 12 GAO/AIMD-00-21.3.1 (11/99)293Top Level Reviews of Actual Performance294Reviews by Management at the Functional or Activity Level295Management of Human Capital296Controls Over Information Processing Management should track297major agency achievements and compare these to the plans, goals,298and objectives established under the Government Performance and299Results Act.300Managers also need to compare actual performance to planned or301expected results throughout the organization and analyze302significant differences.303Effective management of an organization's workforce-its human304capital-is essential to achieving results and an important part of305internal control. Management should view human capital as an asset306rather than a cost. Only when the right personnel for the job are307on board and are provided the right training, tools, structure,308incentives, and responsibilities is operational success possible.309Management should ensure that skill needs are continually assessed310and that the organization is able to obtain a workforce that has311the required skills that match those necessary to achieve312organizational goals. Training should be aimed at developing and313retaining employee skill levels to meet changing organizational314needs. Qualified and continuous supervision should be provided to315ensure that internal control objectives are achieved. Performance316evaluation and feedback, supplemented by an effective reward317system, should be designed to help employees understand the318connection between their performance and the organization's319success. As a part of its human capital planning, management should320also consider how best to retain valuable employees, plan for their321eventual succession, and ensure continuity of needed skills and322abilities.323A variety of control activities are used in information324processing. Examples include edit checks of data entered,325accounting for transactions in numerical sequences, comparing file326totals with control327Page 13 GAO/AIMD-00-21.3.1 (11/99)328Physical Control Over Vulnerable Assets329Establishment and Review of Performance Measures and330Indicators331Segregation of Duties332Proper Execution of Transactions and Events accounts, and333controlling access to data, files, and programs. Further guidance334on control activities for information processing is provided below335under "Control Activities Specific for Information Systems."336An agency must establish physical control to secure and337safeguard vulnerable assets. Examples include security for and338limited access to assets such as cash, securities, inventories, and339equipment which might be vulnerable to risk of loss or unauthorized340use. Such assets should be periodically counted and compared to341control records.342Activities need to be established to monitor performance343measures and indicators. These controls could call for comparisons344and assessments relating different sets of data to one another so345that analyses of the relationships can be made and appropriate346actions taken. Controls should also be aimed at validating the347propriety and integrity of both organizational and individual348performance measures and indicators.349Key duties and responsibilities need to be divided or segregated350among different people to reduce the risk of error or fraud. This351should include separating the responsibilities for authorizing352transactions, processing and recording them, reviewing the353transactions, and handling any related assets. No one individual354should control all key aspects of a transaction or event.355Transactions and other significant events should be authorized356and executed only by persons acting within the scope of their357authority. This is the principal means of assuring that only valid358transactions to exchange, transfer, use, or commit resources and359other events are initiated or entered360Page 14 GAO/AIMD-00-21.3.1 (11/99)361Accurate and Timely Recording of Transactions and Events362Access Restrictions to and Accountability for Resources and363Records364Appropriate Documentation of Transactions and Internal Control365into. Authorizations should be clearly communicated to managers and366employees.367Transactions should be promptly recorded to maintain their368relevance and value to management in controlling operations and369making decisions. This applies to the entire process or life cycle370of a transaction or event from the initiation and authorization371through its final classification in summary records. In addition,372control activities help to ensure that all transactions are373completely and accurately recorded.374Access to resources and records should be limited to authorized375individuals, and accountability for their custody and use should be376assigned and maintained. Periodic comparison of resources with the377recorded accountability should be made to help reduce the risk of378errors, fraud, misuse, or unauthorized alteration.379Internal control and all transactions and other significant380events need to be clearly documented, and the documentation should381be readily available for examination. The documentation should382appear in management directives, administrative policies, or383operating manuals and may be in paper or electronic form. All384documentation and records should be properly managed and385maintained.386These examples are meant only to illustrate the range and387variety of control activities that may be useful to agency388managers. They are not all-inclusive and may not include particular389control activities that an agency may need.390Furthermore, an agency's internal control should be flexible to391allow agencies to tailor control activities to fit their special392needs. The specific control activities used by a given agency may393be different from those394Page 15 GAO/AIMD-00-21.3.1 (11/99)395Control Activities Specific for Information Systems396General Control397•398used by others due to a number of factors. These could include399specific threats they face and risks they incur; differences in400objectives; managerial judgment; size and complexity of the401organization; operational environment; sensitivity and value of402data; and requirements for system reliability, availability, and403performance.404405There are two broad groupings of information systems control -406general control and application control. General control applies to407all information systems-mainframe, minicomputer, network, and408end-user environments. Application control is designed to cover the409processing of data within the application software.410This category includes entitywide security program planning,411management, control over data center operations, system software412acquisition and maintenance, access security, and application413system development and maintenance. More specifically:414Data center and client-server operations controls include backup415and recovery procedures, and contingency and disaster planning. In416addition, data center operations controls also include job set-up417and scheduling procedures and controls over operator418activities.419Application Control420421422•423System software control includes control over the424acquisition, implementation, and maintenance of all system software425including the operating system, data-based management systems,426telecommunications, security software, and utility427programs.428429430•431Access security control protects the systems and network432from inappropriate access and unauthorized use by hackers and other433trespassers or inappropriate use by agency personnel. Specific434control activities include frequent changes of dial-up numbers; use435of dial-back access; restrictions on users to allow access only to436system functions that they need; software and hardware "firewalls"437to restrict access to assets, computers, and networks by external438persons; and frequent changes of passwords and deactivation of439former employees' passwords.440441442•443Application system development and maintenance control444provides the structure for safely developing new systems and445modifying existing systems. Included are documentation446requirements; authorizations for undertaking projects; and reviews,447testing, and approvals of development and modification activities448before placing systems into operation. An alternative to in-house449development is the procurement of commercial software, but control450is necessary to ensure that selected software meets the user's451needs, and that it is properly placed into operation.452453454This category of control is designed to help ensure455completeness, accuracy, authorization, and validity of all456transactions during application processing. Control should be457installed at an application's interfaces with other systems to458ensure that all inputs are received and are valid and outputs are459correct and properly distributed. An example is computerized edit460checks built into the system to review the format, existence, and461reasonableness of data.462Page 17 GAO/AIMD-00-21.3.1 (11/99)463General and application control over computer systems are464interrelated. General control supports the functioning of465application control, and both are needed to ensure complete and466accurate information processing. If the general control is467inadequate, the application control is unlikely to function468properly and could be overridden.469Because information technology changes rapidly, controls must470evolve to remain effective. Changes in technology and its471application to electronic commerce and expanding Internet472applications will change the specific control activities that may473be employed and how they are implemented, but the basic474requirements of control will not have changed. As more powerful475computers place more responsibility for data processing in the476hands of the end users, the needed controls should be identified477and implemented.478479480Information and Communications481482For an entity to run and control its operations, it must have483relevant, reliable, and timely communications relating to internal484as well as external events. Information is needed throughout the485agency to achieve all of its objectives.486Program managers need both operational and financial data to487determine whether they are meeting their agencies' strategic and488annual performance plans and meeting their goals for accountability489for effective and efficient use of resources. For example,490operating information is required for development of financial491reports. This covers a broad range of data from purchases,492subsidies, and other transactions to data on fixed assets,493inventories, and receivables. Operating information is also needed494to determine whether the agency is achieving its compliance495requirements under various laws and regulations. Financial496information is needed for both external and internal uses. It is497required to develop financial statements for periodic external498reporting, and, on a day-to-day basis, to make operating decisions,499montinor performance, and allocate resources. Pertinent information500should be identified, captured, and distributed in a form and time501frame that permits people to perform their duties efficiently.502Effective communications should occur in a broad sense with503information flowing down, across, and up the organization. In504additional to internal communications, management should ensure505there are adequate means of communicating with, and obtaining506information from, external stakeholders that may have a significant507impact on the agency achieving its goals. Moreover, effective508information technology management is critical to achieving useful,509reliable, and continuous recording and communication of510information.511512513Monitoring514515Internal control should generally be designed to assure that516ongoing monitoring occurs in the course of normal operations. It is517performed continually and is ingrained in the agency's operations.518It includes regular management and supervisory activities,519comparisons, reconciliations, and other actions people take in520performing their duties.521Separate evaluations of control can also be useful by focusing522directly on the controls' effectiveness at a specific time. The523scope and frequency of separate evaluations should depend primarily524on the assessment of risks and the effectiveness of ongoing525monitoring procedures. Separate evaluations may take the form of526self-assessments as well as review of control design and direct527testing of internal control. Separate evaluations also may be528performed by the agency Inspector General or an external auditor.529Deficiencies found during ongoing monitoring or through separate530evaluations should be communicated to the individual responsible531for the function and also to at least one level of management above532that individual. Serious matters should be reported to top533management.534Monitoring of internal control should include policies and535procedures for ensuring that the findings of audits and other536reviews are promptly resolved. Managers are to (1) promptly537evaluate findings from538Page 20 GAO/AIMD-00-21.3.1 (11/99)539audits and other reviews, including those showing deficiencies540and recommendations reported by auditors and others who evaluate541agencies' operations, (2) determine proper actions in response to542findings and recommendations from audits and reviews, and (3)543complete, within established time frames, all actions that correct544or otherwise resolve the matters brought to management's attention.545The resolution process begins when audit or other review results546are reported to management, and is completed only after action has547been taken that (1) corrects identified deficiencies, (2) produces548improvements, or549(3) demonstrates the findings and recommendationsdo not warrant550management action.551552Ordering Information553The first copy of each GAO report and testimony is free.554Additional copies are $2 each. Orders should be sent to the555following address, accompanied by a check or money order made out556to the Superintendent of Documents, when necessary. VISA and557MasterCard credit cards are accepted, also. Orders for 100 or more558copies to be mailed to a single address are discounted 25559percent.560Orders by mail:561U.S. General Accounting Office562P.O. Box 37050Washington, DC 20013563or visit:564Room 1100 700 4th St. NW (corner of 4th & G Sts. NW)565U.S. General Accounting OfficeWashington, DC566567568Orders may also be placed by calling (202) 512-6000 or by using569fax number (202) 512-6061, or TDD (202) 512-2537.570Each day, GAO issues a list of newly available reports and571testimony. To receive facsimile copies of the daily list or any572list from the past 30 days, please call (202) 512-6000 using a573touchtone phone. A recorded menu will provide information on how to574obtain these lists.575576577For information on how to access GAO reports on the INTERNET,578send an e-mail message with "info" in the body to:579[email protected]580or visit GAO's World Wide Web Home Page at:581http://www.gao.gov582583584United States General Accounting Office Washington, D.C.58520548-0001586Official Business Penalty for Private Use $300587Address Correction Requested588Bulk Rate Postage & Fees Paid GAO Permit No. G100589590591592593594595596597