GAO-01-1008G Internal Control Management and Evaluation Tool · PDF fileControl Activities 33...

GAOUnited States General Accounting Office

Internal Control Standards

August 2001 Internal Control Management and Evaluation Tool

GAO-01-1008G

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)

PREFACE

August 2001

The General Accounting Office (GAO) issues standards for internal control in the federalgovernment as required by 31 U.S.C. 3512(c), commonly referred to as the Federal Managers�Financial Integrity Act of 1982. GAO first issued the standards in 1983. They became widelyknown throughout the government as the �Green Book.� Since then, changes in informationtechnology, emerging issues involving human capital management, and requirements of recentfinancial management-related legislation have prompted renewed focus on internal control.Consequently, GAO revised the standards and reissued them as Standards for Internal Control inthe Federal Government (GAO/AIMD-00-21.3.1, November 1999). These standards provide theoverall framework for establishing and maintaining internal control and for identifying andaddressing major performance challenges and areas at greatest risk for fraud, waste, abuse, andmismanagement.

We are issuing this Management and Evaluation Tool, which is based upon GAO�s Standardsfor Internal Control in the Federal Government, to assist agencies in maintaining orimplementing effective internal control and, when needed, to help determine what, where, andhow improvements can be implemented. Although this tool is not required to be used, it isintended to provide a systematic, organized, and structured approach to assessing the internalcontrol structure. It is one in a series of related documents we have issued to assist agencies inimproving or maintaining effective operations. (See the last page of this document for a list ofrelated products.)

This tool, GAO�s standards for internal control, and the Office of Management and BudgetCircular A-123, Management Accountability and Control (Revised June 21, 1995), should beused concurrently. Judgment must be applied in the interpretation and application of this tool toenable a user to consider the impact of the completed document on the entire internal controlstructure.

To facilitate its use, this tool is located on the Internet on GAO�s home page (www.gao.gov)under the heading �Other Publications� and the subheading �Accounting and FinancialManagement.� Additional copies can be obtained from the U.S. General Accounting Office,Room 1100, 700 4th Street, NW, Washington, DC 20548, or by calling (202) 512-6000, or TDD(202) 512-2537.

Jeffrey C. SteinhoffManaging DirectorFinancial Management and Assurance

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 2

(BLANK)


CONTENTS

Introduction 5

Control Environment 9

Risk Assessment 23

Control Activities 33

Information and Communications 51

Monitoring 59

Overall Internal Control Summary 69

Related Products 71

Abbreviations

CFO Chief Financial OfficerCOSO Committee of Sponsoring Organizations of the Treadway CommissionFAM Financial Audit ManualFFMIA Federal Financial Management Improvement Act of 1996FISCAM Federal Information System Controls Audit ManualFMFIA Federal Managers� Financial Integrity Act of 1982GAO General Accounting OfficeGPRA Government Performance and Results Act of 1993OMB Office of Management and BudgetOPM Office of Personnel Management


(BLANK)


INTRODUCTION

As federal managers strive to achieve their agency�s missions and goals and provideaccountability for their operations, they need to continually assess and evaluate their internalcontrol structure to assure that it is well designed and operated, appropriately updated to meetchanging conditions, and provides reasonable assurance that the objectives of the agency arebeing achieved. Specifically, managers need to examine internal control to determine how wellit is performing, how it may be improved, and the degree to which it helps identify and addressmajor risks for fraud, waste, abuse, and mismanagement.

Using This Document

This document is an Internal Control Management and Evaluation Tool. Although this tool isnot required to be used, it is intended to help managers and evaluators determine how well anagency�s internal control is designed and functioning and help determine what, where, and howimprovements, when needed, may be implemented.

This tool is based upon the guidance provided in GAO�s Standards for Internal Control in theFederal Government (GAO/AIMD-00-21.3.1, November 1999). That document provides thecontext for the use and application of this tool. Consequently, users of this tool (and managersand staff in general) should become familiar with the standards provided in that document. Inaddition, it would be helpful if users who are not experienced in internal control matters haveaccess to persons who have such experience.

The tool is presented in five sections corresponding to the five standards for internal control:control environment, risk assessment, control activities, information and communications, andmonitoring. Each section contains a list of major factors to be considered when reviewinginternal control as it relates to the particular standard. These factors represent some of the moreimportant issues addressed by the standard. Included under each factor are points and subsidiarypoints that users should consider when addressing the factor. The points and subsidiary pointsare intended to help users consider specific items that indicate the degree to which internalcontrol is functioning. Users should apply informed judgment when considering the specificpoints and subsidiary points to determine (1) the applicability of the point to the circumstances,(2) whether the agency has actually been able to implement, perform, or apply the point, (3) anycontrol weaknesses that may actually result, and (4) the extent to which the point impacts on theagency�s ability to achieve its mission and goals.

Space is provided beside each point and subsidiary point for the user to note comments orprovide descriptions of the circumstances affecting the issue. Comments and descriptionsusually will not be of the �yes/no� type, but will generally include information on how theagency does or does not address the issue. Users could also use this comment space to indicatewhether any problems found might be major or minor control weaknesses. This tool is intendedto help users reach a conclusion about the agency�s internal control as it pertains to the particularstandard. In this regard, a space is provided at the end of each section for the user to note the


general overall assessment and to identify actions that might need to be taken or considered.Additional space is provided for an overall summary assessment at the end of the tool.

It should be understood that this tool is not an authoritative part of the standards for internalcontrol. Rather, it is intended as a supplemental guide that federal managers and evaluators mayuse in assessing the effectiveness of internal control and identifying important aspects of controlin need of improvement. Users should keep in mind that this tool is a starting point and that itcan and should be modified to fit the circumstances, conditions, and risks relevant to thesituation of each agency. Not all of the points or subsidiary points need to be considered forevery agency or activity, depending upon the type of mission being performed and thecost/benefit aspect of a particular control item. Users should consider the relevant points andsubsidiary points and delete or add others as appropriate to their particular entity orcircumstances. In addition, users should note that this document follows the format of thestandards for internal control. Users may rearrange or reorganize the points and subsidiarypoints to fit their particular needs or desires.

This Tool Can Help

This tool could be useful in assessing internal control as it relates to the achievement of theobjectives in any of the three major control categories, i.e., effectiveness and efficiency ofoperations, reliability of financial reporting, and compliance with laws and regulations. It mayalso be useful with respect to the subset objective of safeguarding assets from fraud, waste,abuse, or misuse. In addition, the tool may be used when considering internal control as it relatesto any of the various activities of an agency, such as administration, human capital management,financial management, acquisition and procurement, and provision of goods or services.

Furthermore, the tool may be helpful in meeting the reporting requirements of 31 U.S.C.3512(c), commonly referred to as the Federal Managers� Financial Integrity Act (FMFIA) of1982. The FMFIA requires annual reporting on agency internal control. The act directs the headof each executive agency to provide an annual statement as to whether the agency�s internalcontrol complies with the prescribed standards. Essentially, this requires the report to make adeclaration as to the effectiveness of the internal control. If the internal control does not complywith such requirements, the report is to identify material weaknesses and the plans and schedulefor correcting those weaknesses. Office of Management and Budget (OMB) Circular A-123,Management Accountability and Control, revised June 21, 1995, provides agencies guidance onhow to satisfy the FMFIA reporting requirements.1

Related Resources

It should be further noted that this tool is not the only resource available for assessing internalcontrol. It should be used in conjunction with other resources, such as the guidance provided inOMB Circular A-123, Management Accountability and Control, revised June 21, 1995.Financial statement auditors should follow GAO�s Financial Audit Manual (FAM)(GAO/AFMD-12.19.5A/B, December 1997), as amended. The FAM provides the process and 1OMB Circular A-123 uses the term “management control,” whereas this document uses the term “internalcontrol.” GAO’s internal control standards state that these terms are synonymous.


methodology the auditor is to follow when reviewing internal control in financial audits. Thefinancial auditor considers internal control primarily as it relates to financial reporting andcompliance with laws and regulations. Relating to internal control, the FAM focuses on theauditor�s identification and assessment of risk as it relates to the financial statement auditobjectives. On the other hand, this tool discusses internal control from a broader, overall entityperspective based on the internal control standards and focusing on management�s operationaland program objectives. Although the focus of each document is different, they arecomplementary.

This Management and Evaluation Tool was developed using many different sources ofinformation and ideas. The primary source was, of course, GAO�s Standards for InternalControl in the Federal Government. Additional guidance was obtained from the �EvaluationTools� section of Internal Control � Integrated Framework, by the Committee of SponsoringOrganizations of the Treadway Commission (COSO), issued in September 1992. Considerationwas given to the requirements of pertinent legislation, including the Federal Managers� FinancialIntegrity Act (FMFIA) of 1982, the Chief Financial Officers Act of 1990, the GovernmentPerformance and Results Act (GPRA) of 1993, and the Federal Financial ManagementImprovement Act (FFMIA) of 1996. Further guidance was developed using prior GAOpublications, including Human Capital: A Self-Assessment Checklist for Agency Leaders(GAO/OGC-00-14G, September 2000, Version 1) and the Federal Information System ControlsAudit Manual (FISCAM) (GAO/AIMD-12.19.6, January 1999). Finally, essential material wasalso developed based on the many years of experience of GAO evaluators and analysts inreviewing and assessing federal agency internal control.

This publication is one in a series of documents issued by GAO to assist agencies in improvingor maintaining effective operations. See the last page of this document for a list of relatedproducts.


(BLANK)


CONTROL ENVIRONMENT

According to the first internal control standard, which relates to control environment,management and employees should establish and maintain an environment throughout theorganization that sets a positive and supportive attitude toward internal control and conscientiousmanagement. There are several key factors that affect the accomplishment of this goal.Managers and evaluators should consider each of these control environment factors whendetermining whether a positive control environment has been achieved. The factors that shouldbe focused on are listed below. The list is a beginning point. It is not all-inclusive and not everyitem will apply to every agency or activity within the agency. Even though some of thefunctions are subjective in nature and require the use of judgment, they are important inachieving control environment effectiveness.

Integrity and Ethical Values Comments/Descriptions

1. The agency has established and uses a formal code orcodes of conduct and other policies communicatingappropriate ethical and moral behavioral standardsand addressing acceptable operational practices andconflicts of interest. Consider the following:

� The codes are comprehensive in nature and directlyaddress issues such as improper payments,appropriate use of resources, conflicts of interest,political activities of employees, acceptance of giftsor donations or foreign decorations, and use of dueprofessional care.2

� The codes are periodically acknowledged bysignature from all employees.

� Employees indicate that they know what kind ofbehavior is acceptable and unacceptable, whatpenalties unacceptable behavior may bring, and whatto do if they become aware of unacceptable behavior.

2. An ethical tone has been established at the top of theorganization and has been communicated throughoutthe agency. Consider the following:

2Executive branch employees are subject to standards and principles of ethical conduct in accordance with5CFR2635 and Executive Orders 12674 and 12731.



� Management fosters and encourages an agencyculture that emphasizes the importance of integrityand ethical values. This might be achieved throughoral communications in meetings, via one-on-onediscussions, and by example in day-to-day activities.

� Employees indicate that peer pressure exists forappropriate moral and ethical behavior.

� Management takes quick and appropriate action assoon as there are any signs that a problem may exist.

3. Dealings with the public, Congress, employees,suppliers, auditors, and others are conducted on a highethical plane. Consider the following:

� Financial, budgetary, and operational/programmaticreports to Congress, OMB, Treasury, the Office ofPersonnel Management (OPM), and the public areproper and accurate (not intentionally misleading).

� Management cooperates with auditors and otherevaluators, discloses known problems to them, andvalues their comments and recommendations.

� Underbillings by suppliers or overpayments by usersor customers are quickly corrected.

� The agency has a well-defined and understoodprocess for dealing with employee claims andconcerns in a timely and appropriate manner.

4. Appropriate disciplinary action is taken in response todepartures from approved policies and procedures orviolations of the code of conduct. Consider thefollowing:

� Management takes action when there are violations ofpolicies, procedures, or the code(s) of conduct.



� The types of disciplinary actions that can be taken arewidely communicated throughout the agency so thatothers know that if they behave improperly, they willface similar consequences.

5. Management appropriately addresses intervention oroverriding internal control. Consider the following:

� Guidance exists concerning the circumstances andfrequency with which intervention may be needed,and the management levels which may take suchaction.

� Any intervention or overriding of internal control isfully documented as to reasons and specific actionstaken.

� Overriding of internal control by low-levelmanagement personnel is prohibited except inemergency situations, and upper-level management isimmediately notified and the circumstances aredocumented.

6. Management removes temptation for unethicalbehavior. Consider the following:

� Management has a sound basis for setting realisticand achievable goals and does not pressureemployees to meet unrealistic ones.

� Management provides fair, nonextreme incentives (asopposed to unfair and unnecessary temptations) tohelp ensure integrity and adherence to ethical values.

� Compensation and promotion are based onachievements and performance.

Commitment to Competence Comments/Descriptions

1. Management has identified and defined the tasksrequired to accomplish particular jobs and fill thevarious positions. Consider the following:



� Management has analyzed the tasks that need to beperformed for particular jobs and given considerationto such things as the level of judgment required andthe extent of supervision necessary.

� Formal job descriptions or other means of identifyingand defining specific tasks required for job positionshave been established and are up-to-date.

2. The agency has performed analyses of the knowledge,skills, and abilities needed to perform jobsappropriately. Consider the following:

� The knowledge, skills, and abilities needed forvarious jobs have been identified and made known toemployees.

� Evidence exists that the agency attempts to assure thatemployees selected for various positions have therequisite knowledge, skills, and abilities.

3. The agency provides training and counseling in orderto help employees maintain and improve theircompetence for their jobs. Consider the following:

� There is an appropriate training program to meet theneeds of all employees.

� The agency emphasizes the need for continuingtraining and has a control mechanism to help ensurethat all employees actually received appropriatetraining.

� Supervisors have the necessary management skillsand have been trained to provide effective jobperformance counseling.

� Performance appraisals are based on an assessment ofcritical job factors and clearly identify areas in whichthe employee is performing well and areas that needimprovement.

� Employees are provided candid and constructive jobperformance counseling.



4. Key senior-level employees have a demonstratedability in general management and extensive practicalexperience in operating governmental or businessentities.

Management�s Philosophy and Operating Style Comments/Descriptions

1. Management has an appropriate attitude toward risk-taking, and proceeds with new ventures, missions, oroperations only after carefully analyzing the risksinvolved and determining how they may be minimizedor mitigated.

2. Management enthusiastically endorses the use ofperformance-based management.

3. There has not been excessive personnel turnover in keyfunctions, such as operations and programmanagement, accounting, or internal audit, that wouldindicate a problem with the agency�s emphasis oninternal control. Consider the following:

� There has not been excessive turnover of supervisorypersonnel related to internal control problems, andthere is a strategy for dealing with turnover related toconstraints and limitations such as salary caps.

� Key personnel have not quit unexpectedly.

� Personnel turnover has not been so great as to impairinternal control as a result of employing many peoplenew to their jobs and unfamiliar with the controlactivities and responsibilities.

� There is no pattern to personnel turnover that wouldindicate a problem with the emphasis thatmanagement places on internal control.

4. Management has a positive and supportive attitudetoward the functions of accounting, informationmanagement systems, personnel operations,monitoring, and internal and external audits andevaluations. Consider the following:



� The financial accounting and budgeting operationsare considered essential to the well-being of theorganization and viewed as methods for exercisingcontrol over the entity�s various activities.

� Management regularly relies on accounting/financialand programmatic data from its systems for decision-making purposes and performance evaluation.

� If the accounting operation is decentralized, unitaccounting personnel also have reportingresponsibility to the central financial officer(s).

� The financial management, accounting operations,and budget execution operations are under thedirection of the Chief Financial Officer (CFO) andstrong synchronization and coordination existsbetween budgetary and proprietary financialaccounting activities.

� Management looks to the information managementfunction for critical operating data and supportsefforts to make improvements in the systems astechnology advances.

� Personnel operations have a high priority and seniorexecutives emphasize the importance of good humancapital management.

� Management places a high degree of importance onthe work of the Inspector General, external audits,and other evaluations and studies and is responsive toinformation developed through such products.

5. Valuable assets and information are safeguarded fromunauthorized access or use.3

6. There is frequent interaction between seniormanagement and operating/program management,especially when operating from geographicallydispersed locations.

3Specific subsidiary points to consider with regard to physical control over vulnerable assets are discussedunder the section on “Control Activities,” under “Common Categories of Control Activities,” 5th point.



7. Management has an appropriate attitude towardfinancial, budgetary, and operational/programmaticreporting. Consider the following:

� Management is informed and involved in criticalfinancial reporting issues and supports a conservativeapproach toward the application of accountingprinciples and estimates.

� Management discloses all financial, budgetary, andprogrammatic information needed to fully understandthe operations and financial condition of the agency.

� Management avoids focus on short-term reportedresults.

� Personnel do not submit inappropriate or inaccuratereports in order to meet targets.

� Facts are not exaggerated and budgetary estimates arenot stretched to a point of unreasonableness.

Organizational Structure Comments/Descriptions

1. The agency�s organizational structure is appropriatefor its size and the nature of its operations. Considerthe following:

� The organizational structure facilitates the flow ofinformation throughout the agency.

� The organizational structure is appropriatelycentralized or decentralized, given the nature of itsoperations, and management has clearly articulatedthe considerations and factors taken into account inbalancing the degree of centralization versusdecentralization.

2. Key areas of authority and responsibility are definedand communicated throughout the organization.Consider the following:


Organizational Structure Comments/Descriptions

� Executives in charge of major activities or functionsare fully aware of their duties and responsibilities.

� An accurate and updated organizational chartshowing key areas of responsibility is provided to allemployees.

� Executives and key managers understand theirinternal control responsibilities and ensure that theirstaff also understand their own responsibilities.

3. Appropriate and clear internal reporting relationshipshave been established. Consider the following:

� Reporting relationships have been established andeffectively provide managers information they needto carry out their responsibilities and perform theirjobs.

� Employees are aware of the established reportingrelationships.

� Mid-level managers can easily communicate withsenior operating executives.

4. Management periodically evaluates the organizationalstructure and makes changes as necessary in responseto changing conditions.

5. The agency has the appropriate number of employees,particularly in managerial positions. Consider thefollowing:

� Managers and supervisors have time to carry out theirduties and responsibilities.

� Employees do not have to work excessive overtime oroutside the ordinary workweek to complete assignedtasks.

� Managers and supervisors are not fulfilling the rolesof more than one employee.


Assignment of Authority and Responsibility Comments/Descriptions

1. The agency appropriately assigns authority anddelegates responsibility to the proper personnel to dealwith organizational goals and objectives. Consider thefollowing:

� Authority and responsibility are clearly assignedthroughout the organization and this is clearlycommunicated to all employees.

� Responsibility for decision-making is clearly linkedto the assignment of authority, and individuals areheld accountable accordingly.

� Along with increased delegation of authority andresponsibility, management has effective proceduresto monitor results.

2. Each employee knows (1) how his or her actionsinterrelate to others considering the way in whichauthority and responsibilities are assigned, and (2) isaware of the related duties concerning internal control.Consider the following:

� Job descriptions clearly indicate the degree ofauthority and accountability delegated to eachposition and the responsibilities assigned.

� Job descriptions and performance evaluations containspecific references to internal control-related duties,responsibilities, and accountability.

3. The delegation of authority is appropriate in relationto the assignment of responsibility. Consider thefollowing:

� Employees at the appropriate levels are empowered tocorrect problems or implement improvements.

� There is an appropriate balance between thedelegation of authority at lower levels to �get the jobdone� and the involvement of senior-level personnel.


Human Resource Policies and Practices Comments/Descriptions

1. Policies and procedures are in place for hiring,orienting, training, evaluating, counseling, promoting,compensating, disciplining, and terminatingemployees. Consider the following:

� Management communicates information to recruitersabout the type of competencies needed for the workor participates in the hiring process.

� The agency has standards or criteria for hiringqualified people, with emphasis on education,experience, accomplishment, and ethical behavior.

� Position descriptions and qualifications are inaccordance with OPM guidance and standardizedthroughout the agency for similar jobs.

� A training program has been established and includesorientation programs for new employees and ongoingtraining for all employees.

� Promotion, compensation, and rotation of employeesare based on periodic performance appraisals.

� Performance appraisals are linked to the goals andobjectives included in the agency�s strategic plan.

� The importance of integrity and ethical values isreflected in performance appraisal criteria.

� Employees are provided with appropriate feedbackand counseling on their job performance andsuggestions for improvements.

� Disciplinary or remedial action is taken in response toviolations of policies or ethical standards.

� Employment is terminated, following establishedpolicies, when performance is consistently belowstandards or there are significant and seriousviolations of policy.


Human Resource Policies and Practices Comments/Descriptions

� Management has established criteria for employeeretention and considers the effect upon operations iflarge numbers of employees are expected to leave orretire in a given period.

2. Background checks are conducted on candidates foremployment. Consider the following:

� Candidates who change jobs often are givenparticularly close attention.

� Hiring standards require investigations for criminalrecords for all potential employees.

� References and previous employers are contacted.

� Educational and professional certifications areconfirmed.

3. Employees are provided a proper amount ofsupervision. Consider the following:

� Employees receive guidance, review, and on-the-jobtraining from supervisors to help ensure proper workflow and processing of transactions and events,reduce misunderstandings, and discourage wrongfulacts.

� Supervisory personnel ensure that staff are aware oftheir duties and responsibilities and management�sexpectations.

Oversight Groups Comments/Descriptions

1. Within the agency, there are mechanisms in place tomonitor and review operations and programs.Consider the following:

� An Inspector General, who is independent frommanagement, audits and reviews agency activities.



� The agency has an audit committee or seniormanagement council consisting of high-level line andstaff executives that review the internal audit workand coordinate closely with the Inspector General andexternal auditors.

� If there is an internal audit operation it reports to theagency head.4

� The internal audit function reviews that agency�sactivities and systems and provides information,analyses, appraisals, recommendations, and counselto management.

2. The agency works closely with executive branchoversight organizations. Consider the following:

� The agency has a good working relationship withOMB, and major officials, including the CFO, meetregularly with OMB personnel to discuss areas suchas financial and budgetary reporting, internal control,and management�s performance.

� High-level agency personnel maintain good workingrelationships with other executive branch agenciesthat exercise multi-agency control responsibilities,such as the Department of the Treasury, the GeneralServices Administration, and OPM.

3. The agency maintains a close relationship withCongress in general and oversight committees inparticular. Consider the following:

� The agency provides Congress and oversightcommittees with timely and accurate information toallow monitoring of agency activities, includingreview of the agency�s (1) mission and goals,(2) performance reporting, and (3) financial positionand operating results.

4Agencies may or may not have an internal audit function separate and apart from the Inspector General.



� High-level agency officials meet regularly withcongressional and GAO staff to discuss major issuesaffecting operations, internal control, performance,and other major agency activities and programs.


Control Environment Summary SectionProvide General Conclusions and Actions Needed Here:


RISK ASSESSMENT

The second internal control standard addresses risk assessment. A precondition to riskassessment is the establishment of clear, consistent agency goals and objectives at both the entitylevel and at the activity (program or mission) level. Once the objectives have been set, theagency needs to identify the risks that could impede the efficient and effective achievement ofthose objectives at the entity level and the activity level. Internal control should provide for anassessment of the risks the agency faces from both internal and external sources. Once riskshave been identified, they should be analyzed for their possible effect. Management then has toformulate an approach for risk management and decide upon the internal control activitiesrequired to mitigate those risks and achieve the internal control objectives of efficient andeffective operations, reliable financial reporting, and compliance with laws and regulations. Amanager or evaluator will focus on management's processes for objective setting, riskidentification, risk analysis, and management of risk during times of change. Listed below arefactors a user might consider. The list is a beginning point. It is not all-inclusive nor will everyitem apply to every agency or activity within the agency. Even though some of the functions andpoints may be subjective in nature and require the use of judgment, they are important inperforming risk assessment.

Establishment of Entitywide Objectives Comments/Descriptions

1. The agency has established entitywide objectives thatprovide sufficiently broad statements and guidanceabout what the agency is supposed to achieve, yet arespecific enough to relate directly to the agency.Consider the following:

� Management has established overall entitywideobjectives in the form of mission, goals, andobjectives, such as those defined in strategic andannual performance plans developed under theGPRA.

� The entitywide objectives relate to and stem fromprogram requirements established by legislation.

� The entitywide objectives are specific enough toclearly apply to the agency instead of applying to allagencies.

2. Entitywide objectives are clearly communicated to allemployees, and management obtains feedbacksignifying that the communication has been effective.


Establishment of Entitywide Objectives Comments/Descriptions

3. There is a relationship and consistency between theagency�s operational strategies and the entitywideobjectives. Consider the following:

� Strategic plans support the entitywide objectives.

� Strategic plans address resource allocations andpriorities.

� Strategic plans and budgets are designed with anappropriate level of detail for various managementlevels.

� Assumptions made in strategic plans and budgets areconsistent with the agency�s historical experience andcurrent circumstances.

4. The agency has an integrated management strategyand risk assessment plan that considers the entitywideobjectives and relevant sources of risk from internalmanagement factors and external sources andestablishes a control structure to address those risks.

Establishment of Activity-Level Objectives Comments/Descriptions

1. Activity-level (program or mission-level) objectivesflow from and are linked with the agency�s entitywideobjectives and strategic plans. Consider the following:

� All significant activities are adequately linked to theentitywide objectives and strategic plans.

� Activity-level objectives are reviewed periodically toassure that they have continued relevance.

2. Activity-level objectives are complementary, reinforceeach other, and are not contradictory.

3. The activity-level objectives are relevant to allsignificant agency processes. Consider the following:

� Objectives have been established for all the keyoperational activities and the support activities.


Establishment of Activity-Level Objectives Comments/Descriptions

� Activity-level objectives are consistent with effectivepast practices and performance, and are consistentwith any industry or business norms that may beapplicable to the agency�s operations.

4. Activity-level objectives include measurement criteria.

5. Agency resources are adequate relative to the activity-level objectives. Consider the following:

� The resources needed to meet the objectives havebeen identified.

� If adequate resources are not available, managementhas plans to acquire them.

6. Management has identified those activity-levelobjectives that are critical to the success of the overallentitywide objectives. Consider the following:

� Management has identified the things that must occuror happen if the entitywide objectives are to be met.

� The critical activity-level objectives receive particularattention and review from management and theirperformance is monitored regularly.

7. All levels of management are involved in establishingthe activity-level objectives and are committed to theirachievement.

Risk Identification Comments/Descriptions

1. Management comprehensively identifies risk usingvarious methodologies as appropriate. Consider thefollowing:

� Qualitative and quantitative methods are used toidentify risk and determine relative risk rankings on ascheduled and periodic basis.

� How risk is to be identified, ranked, analyzed, andmitigated is communicated to appropriate staff.



� Risk identification and discussion occur in senior-level management conferences.

� Risk identification takes place as a part of short-termand long-term forecasting and strategic planning.

� Risk identification occurs as a result of considerationof findings from audits, evaluations, and otherassessments.

� Risks that are identified at the employee and mid-management level are brought to the attention ofsenior-level managers.

2. Adequate mechanisms exist to identify risks to theagency arising from external factors. Consider thefollowing:

� The agency considers the risks associated withtechnological advancements and developments.

� Consideration is given to risks arising from thechanging needs or expectations of Congress, agencyofficials, and the public.

� Risks posed by new legislation or regulations areidentified.

� Risks to the agency as a result of possible naturalcatastrophes or criminal or terrorist actions are takeninto account.

� Identification of risks resulting from business,political, and economic changes are determined.

� Consideration is given to the risks associated withmajor suppliers and contractors.

� The agency carefully considers any risks resultingfrom its interactions with various other federalentities and parties outside the government.



3. Adequate mechanisms exist to identify risks to theagency arising from internal factors. Consider thefollowing:

� Risks resulting from downsizing of agency operationsand personnel are considered.

� The agency identifies risks associated with businessprocess reengineering or redesign of operatingprocesses.

� Consideration is given to risks posed by disruption ofinformation systems processing and the extent towhich backup systems are available and can beimplemented.

� The agency identifies any potential risks due to highlydecentralized program operations.

� Consideration is given to possible risks resulting fromthe lack of qualifications of personnel hired or theextent to which they have been trained or not trained.

� Risks resulting from heavy reliance on contractors orother related parties to perform critical agencyoperations are identified.

� The agency identifies any risks that might beassociated with major changes in managerialresponsibilities.

� Risks resulting from unusual employee access tovulnerable assets are considered.

� Risk identification activities consider certain humancapital-related risks, such as the inability to providesuccession planning and retain key personnel who canaffect the ability of the agency or program activity tofunction effectively, and the inadequacy ofcompensation and benefit programs to keep theagency competitive with the private sector for labor.



� Risks related to the availability of future funding fornew programs or the continuation of current programsare assessed.

4. In identifying risk, management assesses other factorsthat may contribute to or increase the risk to which theagency is exposed. Consider the following:

� Management considers any risks related to pastfailures to meet agency missions, goals, or objectivesor failures to meet budget limitations.

� Consideration is given to risks indicated by a historyof improper program expenditures, violations offunds control, or other statutory noncompliance.

� The agency identifies any risks inherent to the natureof its mission or to the significance and complexity ofany specific programs or activities it undertakes.

5. Management identifies risks both entitywide and foreach significant activity-level of the agency.

Risk Analysis Comments/Descriptions

1. After the risks to the agency have been identified,management undertakes a thorough and completeanalysis of their possible effect. Consider thefollowing:

� Management has established a formal process toanalyze risks, and that process may include informalanalysis based on day-to-day management activities.

� Criteria have been established for determining low,medium, and high risks.

� Appropriate levels of management and employees areinvolved in the risk analysis.

� The risks identified and analyzed are relevant to thecorresponding activity objective.


Risk Analysis Comments/Descriptions

� Risk analysis includes estimating the risk�ssignificance.

� Risk analysis includes estimating the likelihood andfrequency of occurrence of each risk and determiningwhether it falls into the low, medium, or high-riskcategory.

� A determination is made on how best to manage ormitigate the risk and what specific actions should betaken.

2. Management has developed an approach for riskmanagement and control based on how much risk canbe prudently accepted. Consider the following:

� The approach can vary from one agency to anotherdepending upon variances in risks and how much riskcan be tolerated, but seems appropriate to the agency.

� The approach is designed to keep risks within levelsjudged to be appropriate and management takesresponsibility for setting the tolerable risk level.

� Specific control activities are decided upon to manageor mitigate specific risks entitywide and at eachactivity level, and their implementation is monitored.

Managing Risk During Change Comments/Descriptions

1. The agency has mechanisms in place to anticipate,identify, and react to risks presented by changes ingovernmental, economic, industry, regulatory,operating, or other conditions that can affect theachievement of entitywide or activity-level goals andobjectives. Consider the following:

� All activities within the agency that might besignificantly affected by changes are considered inthe process.

� Routine changes are addressed through theestablished risk identification and analysis processes.


Managing Risk During Change Comments/Descriptions

� Risks resulting from conditions that are significantlychanging are addressed at sufficiently high levelswithin the agency so that their full impact on theorganization is considered and appropriate actions aretaken.

2. The agency gives special attention to risks presented bychanges that can have a more dramatic and pervasiveeffect on the entity and may demand the attention ofsenior officials. Consider the following:

� The agency is especially attentive to risks caused bythe hiring of new personnel to occupy key positionsor by high personnel turnover in any particular area.

� Mechanisms exist to assess the risks posed by theintroduction of new or changed information systemsand risks involved in training employees to use thenew systems and to accept the changes.

� Management gives special consideration to the riskspresented by rapid growth and expansion or rapiddownsizing and the effects on systems capabilitiesand revised strategic plans, goals, and objectives.

� Consideration is given to the risks involved whenintroducing major new technological developmentsand applications and incorporating them into theoperating processes.

� The risks are extensively analyzed whenever theagency begins the production or provision of newoutputs or services.

� Risks resulting from the establishment of operationsin a new geographical area are assessed.


Risk Assessment Summary SectionProvide General Conclusions and Actions Needed Here:


(BLANK)


CONTROL ACTIVITIES

The third internal control standard addresses control activities. Internal control activities are thepolicies, procedures, techniques, and mechanisms that help ensure that management�s directivesto mitigate risks identified during the risk assessment process are carried out. Control activitiesare an integral part of the agency�s planning, implementing, and reviewing. They are essentialfor proper stewardship and accountability for government resources and for achieving effectiveand efficient program results.

Control activities occur at all levels and functions of the agency. They include a wide range ofdiverse activities, such as approvals, authorizations, verifications, reconciliations, performancereviews, security activities, and the production of records and documentation. A manager orevaluator should focus on control activities in the context of the agency�s management directivesto address risks associated with established objectives for each significant activity (program ormission). Therefore, a manager or evaluator will consider whether control activities relate to therisk-assessment process and whether they are appropriate to ensure that management's directivesare carried out. In assessing the adequacy of internal control activities, a reviewer shouldconsider whether the proper control activities have been established, whether they are sufficientin number, and the degree to which those activities are operating effectively. This should be donefor each significant activity. This analysis and evaluation should also include controls overcomputerized information systems. A manager or evaluator should consider not only whetherestablished control activities are relevant to the risk-assessment process, but also whether theyare being applied properly.

The control activities put into place in a given agency may vary considerably from those used ina different agency. This difference may occur because of the (1) variations in missions, goals,and objectives of the agencies; (2) differences in their environment and manner in which theyoperate; (3) variations in degree of organizational complexity; (4) differences in agency historiesand culture; and (5) differences in the risks that the agencies face and are trying to mitigate. It isprobable that, even if two agencies did have the same missions, goals, objectives, andorganizational structures, they would employ different control activities. This is due toindividual judgment, implementation, and management. All of these factors affect an agency�sinternal control activities, which should be designed accordingly to contribute to the achievementof the agency�s missions, goals, and objectives.

Given the wide variety of control activities that agencies may employ, it would be impossible forthis tool to address them all. However, there are some general, overall points to be considered bymanagers and evaluators, as well as several major categories or types of control activity factorsthat are applicable at various levels throughout practically all federal agencies. In addition, thereare some control activity factors specifically designed for information systems. These factorsand related points and subsidiary points are listed below as examples of issues to be considered.They are meant to illustrate the range and variety of control activities that are typically used.The list is a beginning point. It is not all-inclusive, and not every point or subsidiary point mayapply to every agency or activity within the agency. Even though some of the functions and


points may be subjective in nature and require the use of judgment, they are important inassessing the appropriateness of the agency�s internal control activities.

General Application Comments/Descriptions

1. Appropriate policies, procedures, techniques, andmechanisms exist with respect to each of the agency�sactivities. Consider the following:

� All relevant objectives and associated risks for eachsignificant activity have been identified inconjunction with conducting the risk assessment andanalysis function.

� Management has identified the actions and controlactivities needed to address the risks and directedtheir implementation.

2. The control activities identified as necessary are inplace and being applied. Consider the following:

� Control activities described in policy and proceduresmanuals are actually applied and applied properly.

� Supervisors and employees understand the purpose ofinternal control activities.

� Supervisory personnel review the functioning ofestablished control activities and remain alert forinstances in which excessive control activities shouldbe streamlined.

� Timely action is take on exceptions, implementationproblems, or information that requires follow-up.

3. Control activities are regularly evaluated to ensurethat they are still appropriate and working asintended.5

5This point is closely related to the functions, points, and subsidiary points included in the “Monitoring”section. See that section for more specific information on monitoring and periodic evaluation of controlactivities.


Common Categories of Control Activities Comments/Descriptions

1. Top-Level Reviews � Management tracks majoragency achievements in relation to its plans. Considerthe following:

� Top-level management regularly reviews actualperformance against budgets, forecasts, and priorperiod results.

� Top management is involved in developing 5-yearand annual performance plans and targets inaccordance with GPRA and measuring and reportingresults against those plans and targets.

� Major agency initiatives are tracked for targetachievement and follow-up actions are taken.

2. Management Reviews at the Functional or ActivityLevel � Agency managers review actual performanceagainst targets. Consider the following:

� Managers at all activity levels review performancereports, analyze trends, and measure results againsttargets.

� Both financial and program managers review andcompare financial, budgetary, and operationalperformance to planned or expected results.

� Appropriate control activities are employed, such asreconciliations of summary information to supportingdetail and checking the accuracy of summarizationsof operations.

3. Management of Human Capital � The agencyeffectively manages the organization�s workforce toachieve results. Consider the following:6

� A clear and coherent shared vision of agency mission,goals, values, and strategies is explicitly identified inthe strategic plan, annual performance plan, and otherguiding documents, and that view has been clearlyand consistently communicated to all employees.

6For more detailed information about items to consider, see GAO publication Human Capital: A Self-Assessment Checklist for Agency Leaders (GAO/OGC-00-14G, September 2000, Version 1).



� The agency has a coherent overall human capitalstrategy, as evidenced in its strategic plan,performance plan, or separate human capital planningdocument; and that strategy encompasses humancapital policies, programs, and practices to guide theagency.

� The agency has a specific and explicit workforceplanning strategy, linked to the overall strategic plan,and that allows for identification of current and futurehuman capital needs.

� The agency has defined the type of leaders it wantsthrough written descriptions of roles, responsibilities,attributes, and competencies and has establishedbroad performance expectations for them.

� Senior leaders and managers attempt to buildteamwork, reinforce the shared vision of the agency,and encourage feedback from employees, asevidenced by actions taken to communicate this to allemployees and the existence of opportunities formanagement to obtain feedback.

� The agency�s performance management system isgiven a high priority by top-level officials, and it isdesigned to guide the workforce to achieve theagency�s shared vision/mission.

� Procedures are in place to ensure that personnel withappropriate competencies are recruited and retainedfor the work of the agency, including a formalrecruiting and hiring plan with explicit links to skillneeds the agency has identified.

� Employees are provided orientation, training, andtools to perform their duties and responsibilities,improve performance, enhance their capabilities, andmeet the demands of changing organizational needs.

� The compensation system is adequate to acquire,motivate, and retain personnel, and incentives andrewards are provided to encourage personnel toperform at maximum capability.



� The agency provides workplace flexibilities, services,and facilities (e.g., career counseling, flextime,casual-dress days, and childcare) to help it competefor talent and enhance employee satisfaction andcommitment.

� Qualified and continuous supervision is provided toensure that internal control objectives are being met.

� Meaningful, honest, constructive performanceevaluation and feedback are provided to helpemployees understand the connection between theirperformance and the achievement of the agency�sgoals.

� Management conducts succession planning to ensurecontinuity of needed skills and abilities.

4. Information Processing � The agency employs avariety of control activities suited to informationprocessing systems to ensure accuracy andcompleteness. Consider the following:7

� Edit checks are used in controlling data entry.

� Accounting for transactions is performed in numericalsequences.

� File totals are compared with control accounts.

� Exceptions or violations indicated by other controlactivities are examined and acted upon.

� Access to data, files, and programs is appropriatelycontrolled.

5. Physical Control Over Vulnerable Assets � The agencyemploys physical control to secure and safeguardvulnerable assets. Consider the following:

7Further guidance on control activities for information processing is provided in the following sectionunder “Control Activities Specific for Information Systems.” In addition, see GAO’s FISCAM and OMBCircular A-130, Management of Federal Information Resources.



� Physical safeguarding policies and procedures havebeen developed, implemented, and communicated toall employees.

� The agency has developed a disaster recovery plan,which is regularly updated and communicated toemployees.

� The agency has developed a plan for the identificationof and protection of any critical infrastructure assets.8

� Assets that are particularly vulnerable to loss, theft,damage, or unauthorized use, such as cash, securities,supplies, inventories, and equipment, are physicallysecured and access to them controlled.

� Assets such as cash, securities, supplies, inventories,and equipment are periodically counted andcompared to control records and exceptionsexamined.

� Cash and negotiable securities are maintained underlock and key and access to them strictly controlled.

� Forms such as blank checks and purchase orders aresequentially pre-numbered and physically securedand access to them strictly controlled.

� Mechanical check signers and signature plates arephysically protected and access to them strictlycontrolled.

� Equipment vulnerable to theft is securely fastened orprotected in some other manner.

� Identification plates and numbers are affixed to officefurniture and fixtures, equipment, and other portableassets.

8Critical infrastructure assets are those assets of physical and cyber-based systems that are essential to theminimum operations of the economy and government. In accordance with Presidential Decision DirectiveNo. 63, dated May 22, 1998, each federal agency is responsible for identifying its own critical infrastructureand developing a protection plan for it.



� Inventories, supplies, and finished items/goods arestored in physically secured areas and protected fromdamage.

� Facilities are protected from fire by fire alarms andsprinkler systems.

� Access to premises and facilities is controlled byfences, guards, and/or other physical controls.

� Access to facilities is restricted and controlled duringnonworking hours.

6. Performance Measures and Indicators � The agencyhas established and monitors performance measuresand indicators. Consider the following:

� Performance measures and indicators have beenestablished throughout the organization at theentitywide, activity, and individual level.

� The agency periodically reviews and validates thepropriety and integrity of both organizational andindividual performance measures and indicators.

� Performance measurement assessment factors areevaluated to ensure they are linked to mission, goals,and objectives, and are balanced and set appropriateincentives for achieving goals while complying withlaw, regulations, and ethical standards.

� Actual performance data are continually comparedagainst expected/planned goals and differences areanalyzed.

� Comparisons are made relating different sets of datato one another so that analyses of the relationshipscan be made and corrective actions can be taken ifnecessary.

� Investigation of unexpected results or unusual trendsleads to identification of circumstances in which theachievement of goals and objectives may bethreatened and corrective action is taken.



� Analysis and review of performance measures andindicators are used for both operational and financialreporting control purposes.

7. Segregation of Duties � Key duties and responsibilitiesare divided or segregated among different people toreduce the risk of error, waste, or fraud. Consider thefollowing:

� No one individual is allowed to control all keyaspects of a transaction or event.

� Responsibilities and duties involving transactions andevents are separated among different employees withrespect to authorization, approval, processing andrecording, making payments or receiving funds,review and auditing, and the custodial functions andhandling of related assets.

� Duties are assigned systematically to a number ofindividuals to ensure that effective checks andbalances exist.

� Where feasible, no one individual is allowed to workalone with cash, negotiable securities, or other highlyvenerable assets.

� The responsibility for opening mail is assigned toindividuals who have no responsibilities for or accessto files or documents pertaining to accountsreceivable or cash accounts.

� Bank accounts are reconciled by employees who haveno responsibilities for cash receipts, disbursements, orcustody.

� Management is aware that collusion can reduce ordestroy the control effectiveness of segregation ofduties and, therefore, is especially alert for it andattempts to reduce the opportunities for it to occur.



8. Execution of Transactions and Events � Transactionsand other significant events are authorized andperformed by the appropriate personnel. Consider thefollowing:

� Controls ensure that only valid transactions and otherevents are initiated or entered into, in accordance withmanagement�s decisions and directives.

� Controls are established to ensure that all transactionsand other significant events that are entered into areauthorized and executed only by employees actingwithin the scope of their authority.

� Authorizations are clearly communicated to managersand employees and include the specific conditionsand terms under which authorizations are to be made.

� The terms of authorizations are in accordance withdirectives and within limitations established by law,regulation, and management.

9. Recording of Transactions and Events � Transactionsand other significant events are properly classified andpromptly recorded. Consider the following:

� Transactions and events are appropriately classifiedand promptly recorded so that they maintain theirrelevance, value, and usefulness to management incontrolling operations and making decisions.

� Proper classification and recording take placethroughout the entire life cycle of each transaction orevent, including authorization, initiation, processing,and final classification in summary records.

� Proper classification of transactions and eventsincludes appropriate organization and format ofinformation on original documents (hardcopy paperor electronic) and summary records from whichreports and statements are prepared.



� Excessive adjustments to numbers or accountclassifications are not necessary prior to finalizationof financial reports.

10. Access Restrictions to and Accountability forResources and Records � Access to resources andrecords is limited and accountability for their custodyis assigned. Consider the following:

� The risk of unauthorized use or loss is controlled byrestricting access to resources and records only toauthorized personnel.

� Accountability for resources and records custody anduse is assigned to specific individuals.

� Access restrictions and accountability assignments forcustody are periodically reviewed and maintained.

� Periodic comparison of resources with the recordedaccountability is made to determine if the two agree,and differences are examined.

� How frequently actual resources are compared torecords and the degree of access restrictions arefunctions of the vulnerability of the resource to therisk of errors, fraud, waste, misuse, theft, orunauthorized alteration.

� Management considers such factors as asset value,portability, and exchangeability when determining theappropriate degree of access restrictions.

� As a part of assigning and maintaining accountabilityfor resources and records, management informs andcommunicates those responsibilities to specificindividuals within the agency and assures that thosepeople are aware of their duties for appropriatecustody and use of those resources.

11. Documentation � Internal Control and all transactionsand other significant events are clearly documented.Consider the following:



� Written documentation exists covering the agency�sinternal control structure and for all significanttransactions and events.

� The documentation is readily available forexamination.

� The documentation for internal control includesidentification of the agency�s activity-level functionsand related objectives and control activities andappears in management directives, administrativepolicies, accounting manuals, and other suchmanuals.

� Documentation for internal control includesdocumentation describing and covering automatedinformation systems, data collection and handling,and the specifics of general and application controlrelated to such systems.9

� Documentation of transactions and other significantevents is complete and accurate and facilitates tracingthe transaction or event and related information fromauthorization and initiation, through its processing, toafter it is completed.

� Documentation, whether in paper or electronic form,is useful to managers in controlling their operationsand to any others involved in evaluating or analyzingoperations.

� All documentation and records are properly managed,maintained, and periodically updated.

9Additional guidance on documentation of control activities for information processing is provided in thefollowing section under “Control Activities Specific for Information Systems.” In addition, see GAO’sFISCAM and OMB Circular A-130, Management of Federal Information Resources.


Control Activities Specific for Information Systems � General Control

As stated in the introduction to the Control Activities Section, there are some control activityfactors specifically designed for information systems. As discussed in the standard, there are twobroad groupings of information systems control � general control and application control.General control includes the structure, policies, and procedures that apply to the agency�s overallcomputer operations. It applies to all information systems � mainframe, minicomputer, network,and end-user environments. General control creates the environment in which the agency�sapplication systems operate. General control activities are presented first followed byapplication control activities.

There are six major factors or categories of control activities that need to be considered by theuser when evaluating general control: entitywide security management program, access control,application software development and change, system software control, segregation of duties,and service continuity. The factors and related points and some subsidiary points are listedbelow as examples of issues to be considered. They are meant to illustrate the range and varietyof general control activities that are typically used. They are not all-inclusive. Users shouldrefer to the list of critical elements and control activities pertaining to general control provided inGAO�s Federal Information System Controls Audit Manual (FISCAM) (GAO/AIMD-12.19.6,January 1999). The list below summarizes the FISCAM�s list; however, users should refer to theFISCAM for more detailed guidance in performing their evaluation and analysis.

Entitywide Security Management Program Comments/Descriptions

1. The agency periodically performs a comprehensive,high-level assessment of risks to its informationsystems. Consider the following:

� Risk assessments are performed and documentedregularly and whenever systems, facilities, or otherconditions change.

� Risk assessments consider data sensitivity andintegrity.

� Final risk determinations and managerial approvalsare documented and kept on file.

2. The agency has developed a plan that clearly describesthe entitywide security program and policies andprocedures that support it.


Entitywide Security Management Program Comments/Descriptions

3. Senior management has established a structure toimplement and manage the security programthroughout the agency, and security responsibilitiesare clearly defined.

4. The agency has implemented effective security-relatedpersonnel policies.

5. The agency monitors the security program�seffectiveness and makes changes as needed. Considerthe following:

� Management periodically assesses theappropriateness of security policies and compliancewith them.

� Corrective actions are promptly and effectivelyimplemented and tested, and they are continuallymonitored.

Access Control Comments/Descriptions

1. The agency classifies information resources accordingto their criticality and sensitivity. Consider thefollowing:

� Resource classifications and related criteria have beenestablished and communicated to resource owners.

� Resource owners have classified their informationresources based on the approved criteria and withregard to risk determinations and assessments andhave documented those classifications.

2. Resource owners have identified authorized users, andtheir access to the information has been formallyauthorized.

3. The agency has established physical and logicalcontrols to prevent or detect unauthorized access.


Access Control Comments/Descriptions

4. The agency monitors information systems access,investigates apparent violations, and takes appropriateremedial and disciplinary action.

Application Software Development and ChangeControl

Comments/Descriptions

1. Information system processing features and programmodifications are properly authorized.

2. All new or revised software is thoroughly tested andapproved.

3. The agency has established procedures to ensurecontrol of its software libraries, including labeling,access restrictions, and use of inventories and separatelibraries.

System Software Control Comments/Descriptions

1. The agency limits access to system software based onjob responsibilities, and access authorization isdocumented.

2. Access to and use of system software are controlledand monitored.

3. The agency controls changes made to the systemsoftware.

Segregation of Duties Comments/Descriptions

1. Incompatible duties have been identified and policiesimplemented to segregate those duties.

2. Access controls have been established to enforcesegregation of duties.

3. The agency exercises control over personnel activitiesthrough the use of formal operating procedures,supervision, and review.


Service Continuity Comments/Descriptions

1. The criticality and sensitivity of computerizedoperations have been assessed and prioritized, andsupporting resources have been identified.

2. The agency has taken steps to prevent and minimizepotential damage and interruption through the use ofdata and program backup procedures including off-site storage of backup data as well as environmentalcontrols, staff training, and hardware maintenanceand management.

3. Management has developed and documented acomprehensive contingency plan.

4. The agency periodically tests the contingency plan andadjusts it as appropriate.


Control Activities Specific for Information Systems � Application Control

Application control covers the structure, policies, and procedures designed to help ensurecompleteness, accuracy, authorization, and validity of all transactions during applicationprocessing. It includes both the routines contained within the computer program code as well asthe policies and procedures associated with user activities, such as manual measures performedby the user to determine that the data were processed accurately by the computer.

There are four major factors or categories of control activities that need to be considered by theuser when evaluating application control: authorization control, completeness control, accuracycontrol, and control over integrity of processing and data files. The factors and related pointsand some subsidiary points are listed below as examples of issues to be considered. They aremeant to illustrate the range and variety of application control activities that are typically used.They are not all-inclusive. In the future, application control evaluation and testing will beaddressed in Chapter 4 of GAO�s Federal Information System Controls Audit Manual (FISCAM)(GAO/AIMD-12.19.6, January 1999). That chapter is currently under development and isexpected to be issued with the first update of the FISCAM. However, the list of factors, points,and subsidiary points provided below generally follows the guidance expected to be issued in theFISCAM. Users should refer to Chapter 4 of the FISCAM, when issued, for more detailedguidance in performing their evaluation and analysis.

Authorization Control Comments/Descriptions

1. Source documents are controlled and requireauthorization. Consider the following:

� Access to blank source documents is restricted.

� Source documents are pre-numbered sequentially.

� Key source documents require authorizing signatures.

� For batch application systems, batch control sheetsare used providing information such as date, controlnumber, number of documents, and control totals forkey fields.

� Supervisory or independent review of data occursbefore it is entered into the application system.

2. Data entry terminals have restricted access.

3. Master files and exception reporting are used to ensurethat all data processed are authorized.


Completeness Control Comments/Descriptions

1. All authorized transactions are entered into andprocessed by the computer.

2. Reconciliations are performed to verify datacompleteness.

Accuracy Control Comments/Descriptions

1. The agency�s data entry design features contribute todata accuracy.

2. Data validation and editing are performed to identifyerroneous data.

3. Erroneous data are captured, reported, investigated,and promptly corrected.

4. Output reports are reviewed to help maintain dataaccuracy and validity.

Control Over Integrity ofProcessing and Data Files

Comments/Descriptions

1. Procedures ensure that the current version ofproduction programs and data files are used duringprocessing.

2. Programs include routines to verify that the properversion of the computer file is used during processing.

3. Programs include routines for checking internal fileheader labels before processing.

4. The application protects against concurrent fileupdates.


Control Activities Summary SectionProvide General Conclusions and Actions Needed Here:


INFORMATION AND COMMUNICATIONS

According to the fourth internal control standard, for an agency to run and control its operations,it must have relevant, reliable information, both financial and nonfinancial, relating to external aswell as internal events. That information should be recorded and communicated to managementand others within the agency who need it and in a form and within a time frame that enablesthem to carry out their internal control and operational responsibilities. In addition, the agencyneeds to make sure that the forms of communications are broad-based and that informationtechnology management assures useful, reliable, and continuous communications. Managers andevaluators should consider the appropriateness of information and communication systems to theentity's needs and the degree to which they accomplish the objectives of internal control. Listedbelow are factors a user might consider. The list is a beginning point. It is not all-inclusive norwill every item apply to every agency or activity within the agency. Even though some of thefunctions and points may be subjective in nature and require the use of judgment, they areimportant in collecting appropriate data and information and in establishing and maintaininggood communications.

Information Comments/Descriptions

1. Information from internal and external sources isobtained and provided to management as a part of theagency�s reporting on operational performancerelative to established objectives. Consider thefollowing:

� Internally generated information critical to achievingthe agency�s objectives, including informationrelative to critical success factors, is identified andregularly reported to management.

� The agency obtains and reports to managers anyrelevant external information that may affect theachievement of its missions, goals, and objectives,particularly that related to legislative or regulatorydevelopments and political or economic changes.

� Internal and external information needed by managersat all levels is reported to them.

2. Pertinent information is identified, captured, anddistributed to the right people in sufficient detail, inthe right form, and at the appropriate time to enablethem to carry out their duties and responsibilitiesefficiently and effectively. Consider the following:


Information Comments/Descriptions

� Managers receive analytical information that helpsthem identify specific actions that need to be taken.

� Information is provided at the right level of detail fordifferent levels of management.

� Information is summarized and presentedappropriately and provides pertinent informationwhile permitting a closer inspection of details asneeded.

� Information is available on a timely basis to alloweffective monitoring of events, activities, andtransactions and to allow prompt reaction.

� Program managers receive both operational andfinancial information to help them determine whetherthey are meeting the strategic and annual performanceplans and meeting the agency�s goals foraccountability of resources.

� Operational information is provided to managers sothat they may determine whether their programscomply with applicable laws and regulations.

� The appropriate financial and budgetary informationis provided for both internal and external financialreporting.

Communications Comments/Descriptions

1. Management ensures that effective internalcommunications occur. Consider the following:

� Top management provides a clear messagethroughout the agency that internal controlresponsibilities are important and must be takenseriously.



� Employees� specific duties are clearly communicatedto them and they understand the relevant aspects ofinternal control, how their role fits into it, and howtheir work relates to the work of others.

� Employees are informed that when the unexpectedoccurs in performing their duties, attention must begiven not only to the event, but also to the underlyingcause, so that potential internal control weaknessescan be identified and corrected before they can dofurther harm to the agency.

� Acceptable behavior versus unacceptable behaviorand the consequences of improper conduct are clearlycommunicated to all employees.

� Personnel have a means of communicatinginformation upstream within the agency throughsomeone other than a direct supervisor, and there is agenuine willingness to listen on the part ofmanagement.

� Mechanisms exist to allow the easy flow ofinformation down, across, and up the organization,and easy communications exist between functionalactivities, such as between procurement activities andproduction activities.

� Employees indicate that informal or separate lines ofcommunications exist, which serve as a �fail-safe�control for normal communications avenues.

� Personnel understand that there will be no reprisalsfor reporting adverse information, improper conduct,or circumvention of internal control activities.

� Mechanisms are in place for employees torecommend improvements in operations, andmanagement acknowledges good employeesuggestions with cash awards or other meaningfulrecognition.



� Management communicates frequently with internaloversight groups, such as senior managementcouncils, and keeps them informed of performance,risks, major initiatives, and any other significantevents.

2. Management ensures that effective externalcommunications occur with groups that can have aserious impact on programs, projects, operations, andother activities, including budgeting and financing.Consider the following:

� Open and effective communications channels havebeen established with customers, suppliers,contractors, consultants, and other groups that canprovide significant input on quality and design ofagency products and services.

� All outside parties dealing with the agency are clearlyinformed of the agency�s ethical standards and alsounderstand that improper actions, such as improperbillings, kickbacks, or other improper payments, willnot be tolerated.

� Communications from external parties, such as otherfederal agencies, state and local governments, andother related third parties, is encouraged since it canbe a source of information on how well internalcontrol is functioning.

� The agency has methods to ensure compliance withthe Federal Advisory Committee Act of 1972 sincesuch committees may include individuals external tothe agency with whom communications could occur.

� Complaints or inquires, especially those concerningservices, such as shipments, receipts, and billings, arewelcomed since they can point out control problems.

� Management makes certain that the advice andrecommendations of Inspectors General and otherauditors and evaluators are fully considered and thatactions are implemented to correct any problems orweaknesses they identify.



� Communications with Congress, OMB, Treasury,other federal agencies, state and local governments,the media, the public, and others provide informationrelevant to the requesters� needs so that they canbetter understand the agency�s mission, goals, andobjectives, better understand the risks facing theagency, and thus better understand the agency.

Forms and Means of Communications Comments/Descriptions

1. The agency employs many and various forms andmeans of communicating important information withemployees and others. Consider the following:

� Management uses effective communications methods,which may include policy and procedures manuals,management directives, memoranda, bulletin boardnotices, internet and intranet web pages, videotapedmessages, e-mail, and speeches.

� Two of the most powerful forms of communicationsused by management are the positive actions it takesin dealing with personnel throughout the organizationand its demonstrated support of internal control.

2. The agency manages, develops, and revises itsinformation systems in an effort to continuallyimprove the usefulness and reliability of itscommunication of information. Consider thefollowing:

� Information systems management is based on astrategic plan for information systems that is linked tothe agency�s overall strategic plan.

� A mechanism exists for identifying emerginginformation needs.

� As part of the agency�s information management,improvements and advances in technology aremonitored, analyzed, evaluated, and introduced tohelp the agency respond more rapidly and efficientlyto those it serves.


Forms and Means of Communications Comments/Descriptions

� Management continually monitors the quality of theinformation captured, maintained, and communicatedas measured by such factors as appropriateness ofcontent, timeliness, accuracy, and accessibility.

� Management�s support for the development ofinformation technology is demonstrated by itscommitment of appropriate human and financialresources to the effort.


Information and Communications Summary SectionProvide General Conclusions and Actions Needed Here:


(BLANK)


MONITORING

Monitoring is the final internal control standard. Internal control monitoring should assess thequality of performance over time and ensure that the findings of audits and other reviews arepromptly resolved. In considering the extent to which the continued effectiveness of internalcontrol is monitored, both ongoing monitoring activities and separate evaluations of the internalcontrol system, or portions thereof, should be considered. Ongoing monitoring occurs duringnormal operations and includes regular management and supervisory activities, comparisons,reconciliations, and other actions people take in performing their duties. It includes ensuring thatmanagers and supervisors know their responsibilities for internal control and the need to makecontrol and control monitoring part of their regular operating processes. Separate evaluations area way to take a fresh look at internal control by focusing directly on the controls� effectiveness ata specific time. These evaluations may take the form of self-assessments as well as review ofcontrol design and direct testing, and may include the use of this Management and EvaluationTool or some similar device. In addition, monitoring includes policies and procedures forensuring that any audit and review findings and recommendations are brought to the attention ofmanagement and are resolved promptly. Managers and evaluators should consider theappropriateness of the agency�s internal control monitoring and the degree to which it helps themaccomplish their objectives. Listed below are factors a user might consider. The list is abeginning point. It is not all-inclusive, and every item might not apply to every agency oractivity within the agency. Even though some of the functions and points may be subjective innature and require the use of judgment, they are important in establishing and maintaining goodinternal control monitoring policies and procedures.

Ongoing Monitoring Comments/Descriptions

1. Management has a strategy to ensure that ongoingmonitoring is effective and will trigger separateevaluations where problems are identified or systemsare critical and testing is periodically desirable.Consider the following:

� Management�s strategy provides for routine feedbackand monitoring of performance and controlobjectives.

� The monitoring strategy includes methods toemphasize to program and operational mangers thatthey have responsibility for internal control and thatthey should monitor the effectiveness of controlactivities as a part of their regular duties.



� The monitoring strategy includes methods toemphasize to program mangers their responsibilityfor internal control and their duties to regularlymonitor the effectiveness of control activities.

� The monitoring strategy includes identification ofcritical operational and mission support systems thatneed special review and evaluation.

� The strategy includes a plan for periodic evaluation ofcontrol activities for critical operational and missionsupport systems.

2. In the process of carrying out their regular activities,agency personnel obtain information about whetherinternal control is functioning properly. Consider thefollowing:

� Operating reports are integrated or reconciled withfinancial and budgetary reporting system data andused to manage operations on an ongoing basis, andmanagement is aware of inaccuracies or exceptionsthat could indicate internal control problems.

� Operating management compares production, sales,or other operating information obtained in the courseof its daily activities to system-generated informationand follows up on any inaccuracies or other problemsthat might be found.

� Operating personnel are required to �sign-off� on theaccuracy of their unit�s financial statements and areheld accountable if errors are discovered.

3. Communications from external parties shouldcorroborate internally generated data or indicateproblems with internal control. Consider thefollowing:

� Management recognizes that customers paying forinvoices help to corroborate billing data, whilecustomer complaints indicate that deficiencies mayexist; and these deficiencies are then investigated todetermine the underlying causes.



� Communications from vendors and monthlystatements of accounts payable are used as controlmonitoring techniques.

� Supplier complaints about any unfair practices byagency purchasing agents are investigated.

� Congress and oversight groups communicateinformation to the agency about compliance or othermatters that reflect on the functioning of internalcontrol, and management follows up on any problemsindicated.

� Control activities that should have prevented ordetected any problems that arose, but did not functionproperly, are reassessed.

4. Appropriate organizational structure and supervisionhelp provide oversight of internal control functions.Consider the following:

� Automated edits and checks as well as clericalactivities are used to help control accuracy andcompleteness of transaction processing.

� Separation of duties and responsibilities is used tohelp deter fraud.

� The Inspector General is independent and hasauthority to report directly to the agency head anddoes not conduct agency operations for management.

5. Data recorded by information and financial systemsare periodically compared with physical assets anddiscrepancies are examined. Consider the following:

� Inventory levels of materials, supplies, and otherassets are checked regularly; differences betweenrecorded and actual amounts are corrected; and thereasons for the discrepancies resolved.

� The frequency of the comparison is a function of thevulnerability of the asset.



� Custodial accountability for assets and resources isassigned to responsible individuals.

6. The Inspector General and other auditors andevaluators regularly provide recommendations forimprovements in internal control with managementtaking appropriate follow-up action.

7. Meetings with employees are used to providemanagement with feedback on whether internalcontrol is effective. Consider the following:

� Relevant issues, information, and feedbackconcerning internal control raised at trainingseminars, planning sessions, and other meetings arecaptured and used by management to addressproblems or strengthen the internal control structure.

� Employee suggestions on internal control areconsidered and acted upon as appropriate.

� Management encourages employees to identifyinternal control weaknesses and report them to thenext supervisory level.

8. Employees are regularly asked to state explicitlywhether they comply with the agency�s code of conductor similar agency pronouncements of expectedemployee behavior. Consider the following:

� Personnel periodically acknowledge compliance withthe code of conduct.

� Signatures are required to evidence performance ofcritical internal control functions, such asreconciliations.

Separate Evaluations Comments/Descriptions

1. The scope and frequency of separate evaluations ofinternal control are appropriate for the agency.Consider the following:



� Consideration is given to the risk assessment resultsand the effectiveness of ongoing monitoring whendetermining the scope and frequency of separateevaluations.

� Separate evaluations are often prompted by eventssuch as major changes in management plans orstrategies, major expansion or downsizing of theagency, or significant changes in operations orprocessing of financial or budgetary information.

� Appropriate portions or sections of internal controlare evaluated regularly.

� Separate evaluations are conducted by personnel withthe required skills that may include the agency�sInspector General or an external auditor.

2. The methodology for evaluating the agency�s internalcontrol is logical and appropriate. Consider thefollowing:

� The methodology used may include self-assessmentsusing checklists, questionnaires, or other such tools,and it may include the use of this Management andEvaluation Tool or some similar device.

� The separate evaluations may include a review of thecontrol design and direct testing of the internalcontrol activities.

� In agencies where large amounts of data areprocessed by the information and/or financialsystems, separate evaluation methodology employscomputer assisted audit techniques to identifyindicators of inefficiencies, waste, or abuse.

� The evaluation team develops a plan for theevaluation process to ensure a coordinated effort.

� If the evaluation process is conducted by agencyemployees, it is managed by an executive with therequisite authority, capability, and experience.



� The evaluation team gains a sufficient understandingof the agency�s missions, goals, and objectives and itsoperations and activities.

� The evaluation team gains an understanding of howthe agency�s internal control is supposed to work andhow it actually does work.

� The evaluation team analyzes the results of theevaluation against established criteria.

� The evaluation process is properly documented.

3. If the separate evaluations are conducted by theagency�s Inspector General, that office has sufficientresources, ability, and independence. Consider thefollowing:10

� The Inspector General has sufficient levels ofcompetent and experienced staff.

� The Inspector General is organizationallyindependent and reports to the highest levels withinthe agency.

� The responsibilities, scope of work, and audit plans ofthe Inspector General are appropriate to the agency�sneeds.

4. Deficiencies found during separate evaluations arepromptly resolved. Consider the following:

� Deficiencies are promptly communicated to theindividual responsible for the function and also to atleast one level of management above that individual.

� Serious deficiencies and internal control problems arepromptly reported to top management.

10This particular point and the related subsidiary points are not expected to be assessed by agencymanagement or the agency Inspector General. However, their consideration may be useful in outsidereviews or peer reviews.


Audit Resolution11 Comments/Descriptions

1. The agency has a mechanism to ensure the promptresolution of findings from audits and other reviews.Consider the following:

� Managers promptly review and evaluate findingsresulting from audits, FMFIA and FFMIAassessments, and other reviews, including thoseshowing deficiencies and those identifyingopportunities for improvements.

� Management determines the proper actions to take inresponse to findings and recommendations.

� Corrective action is taken or improvements madewithin established time frames to resolve the mattersbrought to management�s attention.

� In cases where there is disagreement with the findingsor recommendations, management demonstrates thatthose findings or recommendations are either invalidor do not warrant action.

� Management considers consultations with auditors(such as GAO, the Inspector General, and otherexternal auditors), and reviewers when they arebelieved to be helpful in the audit resolution process.

2. Agency management is responsive to the findings andrecommendations of audits and other reviews aimed atstrengthening internal control. Consider thefollowing:

� Executives with the proper authority evaluate thefindings and recommendations and decide upon theappropriate actions to take to correct or improvecontrol.

� Desired internal control actions are followed up on toverify implementation.

11Audit Resolution includes the resolution of findings and recommendations not just from formal audits,but also resulting from informal reviews, internal separate evaluations, management studies, andassessments made pursuant to the requirements of the Federal Managers’ Financial Integrity Act (FMFIA)of 1982 and the Federal Financial Management Improvement Act (FFMIA) of 1996.


Audit Resolution Comments/Descriptions

3. The agency takes appropriate follow-up actions withregard to findings and recommendations of audits andother reviews. Consider the following:

� Problems with particular transactions or events arecorrected promptly.

� The underlying causes giving rise to the findings orrecommendations are investigated by management.

� Actions are decided upon to correct the situation ortake advantage of the opportunity for improvements.

� Management and auditors follow up on audit andreview findings, recommendations, and the actionsdecided upon to ensure that those actions are taken.

� Top management is kept informed through periodicreports on the status of audit and review resolution sothat it can ensure the quality and timeliness ofindividual resolution decisions.


Monitoring Summary SectionProvide General Conclusions and Actions Needed Here:


(BLANK)


OVERALL INTERNAL CONTROL SUMMARY

Control Environment Assessment/Conclusions

Management and employees have a positive andsupportive attitude toward internal control andconscientious management. Management conveys themessage that integrity and ethical values must not becompromised. The agency demonstrates a commitment tothe competence of its personnel and employs good humancapital policies and practices. Management has aphilosophy and operating style that is appropriate to thedevelopment and maintenance of effective internal control.The agency�s organizational structure and the way inwhich it assigns authority and responsibility contribute toeffective internal control. The agency has a good workingrelationship with Congress and oversight groups.

Risk Assessment

The agency has established clear and consistent entitywideobjectives and supporting activity-level objectives.Management has made a thorough identification of risks,from both internal and external sources, that may affectthe ability of the agency to meet those objectives. Ananalysis of those risks has been performed, and the agencyhas developed an appropriate approach for riskmanagement. In addition, mechanisms are in place toidentify changes that may affect the agency�s ability toachieve its missions, goals, and objectives.

Control Activities

Appropriate policies, procedures, techniques, and controlmechanisms have been developed and are in place toensure adherence to established directives. Proper controlactivities have been developed for each of the agency�sactivities. The control activities identified as necessary areactually being applied properly.


Information and Communications Assessment/Conclusions

Information systems are in place to identify and recordpertinent operational and financial information relating tointernal and external events. That information iscommunicated to management and others within theagency who need it and in a form that enables them tocarry out their duties and responsibilities efficiently andeffectively. Management ensures that effective internalcommunications take place. It also ensures that effectiveexternal communications occur with groups that canaffect the achievement of the agency�s missions, goals, andobjectives. The agency employs various forms ofcommunications appropriate to its needs and manages,develops, and revises its information systems in acontinual effort to improve communications.

Monitoring

Agency internal control monitoring assesses the quality ofperformance over time. It does this by putting proceduresin place to monitor internal control on an ongoing basis asa part of the process of carrying out its regular activities.It includes ensuring that managers know theirresponsibilities for internal control and controlmonitoring. In addition, separate evaluations of internalcontrol are periodically performed and the deficienciesfound are investigated. Procedures are in place to ensurethat the findings of all audits and other reviews arepromptly evaluated, decisions are made about theappropriate response, and actions are taken to correct orotherwise resolve the issues promptly.

(193010)


RELATED PRODUCTS

These related products address three main categories: internal control, financial management systems, andfinancial reporting (accounting standards). We have developed these guidelines and tools to assistagencies in improving or maintaining effective operations and financial management.

Internal Control

Standards for Internal Control Streamlining the Payment Processin the Federal Government, While Maintaining Effective InternalGAO/AIMD-00-21.3.1, November 1999. Control, GAO/AIMD-00-21.3.2,

May 2000.

Determining Performance andAccountability Challenges and HighRisks, GAO-01-159SP, November 2000.

Financial Management Systems

Framework for Federal Financial Inventory System Checklist,Management System Checklist, GAO/AIMD-98-21.2.4, May 1998.GAO/AIMD-98-21.2.1, May 1998.

System Requirements for Managerial Core Financial System RequirementsCost Accounting Checklist, Checklist, GAO/AIMD-00-21.2.2,GAO/AIMD-99-21.2.9, January 1999. February 2000.

Human Resources and Payroll Direct Loan System RequirementsSystems Requirements Checklist Checklist, GAO/AIMD-00-21.2.6,GAO/AIMD-00-21.2.3, March 2000. April 2000.

Travel System Requirements Seized Property and Forfeited AssetsChecklist, GAO/AIMD-00-21.2.8, Requirements Checklist,May 2000. GAO-01-99G, October 2000.

Guaranteed Loan SystemRequirements Checklist,GAO-01-371G, March 2001

Financial Reporting (Accounting Standards)

�Checklist for Reports Prepared Under the CFO Act,� (Section 1004 of theGAO/PCIE Financial Audit Manual (FAM), July 2001). This is a checklistcontaining agency financial statement reporting requirements.

These documents are available on the Internet on GAO�s home page (www.gao.gov) under the heading�Other Publications� and the subheading �Accounting and Financial Management.� They can also beobtained from GAO, 700 4th Street NW, Room 1100, Washington DC 20548, or by calling(202) 512-6000 or TDD (202) 512-2537.

http://www.gao.gov/

Ordering Information The first copy of each GAO report is free. Additional copies of reports are $2 each. A check or money order should be made out to the Superintendent of Documents. VISA and MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are discounted 25 percent.

Orders by mail:U.S. General Accounting OfficeP.O. Box 37050Washington, DC 20013

Orders by visiting:Room 1100700 4th St. NW (corner of 4th and G Sts. NW)U.S. General Accounting OfficeWashington, DC

Orders by phone:(202) 512-6000fax: (202) 512-6061TDD (202) 512-2537

Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists.

Orders by Internet:For information on how to access GAO reports on the Internet, send an e-mail message with “info” in the body to:

[email protected]

or visit GAO’s World Wide Web home page at:

http://www.gao.gov

To Report Fraud, Waste, or Abuse in Federal Programs

Contact one:

• Web site: http://www.gao.gov/fraudnet/fraudnet.htm

• e-mail: [email protected]

• 1-800-424-5454 (automated answering system)

mailto:[email protected]

http://www.gao.gov

http://www.gao.gov/fraudnet/fraudnet.htm

United StatesGeneral Accounting OfficeWashington, D.C. 20548-0001

Official BusinessPenalty for Private Use $300

Address Correction Requested

Presorted StandardPostage & Fees Paid

GAOPermit No. GI00

GAO-01-1008G Internal Control Management and Evaluation Tool · PDF fileControl Activities 33...

Documents

Transcript of GAO-01-1008G Internal Control Management and Evaluation Tool · PDF fileControl Activities 33...