International Journal of Government Auditing – January 2015

GAO issues revision of internal control standards

In an age of shifting environments, evolving demands, changing risks, and new priorities, government entities, including Supreme Audit Institutions (SAIs), constantly look for ways to improve their performance. By implementing an effective internal control system, SAIs can work more efficiently and effectively to achieve their goals.

Internal control—an organizational process used to help an entity achieves its objectives —is a matter of great interest to SAIs worldwide. SAIs can play a key role in establishing internal control standards. In the United States, the U.S. Government Accountability Office (GAO) publishes Standards for Internal Control in the Federal Government (also known as the “Green Book”), which sets the internal control standards for federal entities. Because GAO issued the most recent Green book in 1999, GAO recognized the need to update the standards in order to adapt to various changes in the ways the government operates.

What is the Green Book?

Internal controls are the plans, methods, policies, and procedures organizations, including governments, use to ensure that they are meeting their objectives. These objectives can be broadly classified into three categories: operations, reporting, and compliance. Internal control helps an organization operate more efficiently and effectively, report reliable information about its operations, and comply with applicable laws and regulations.

Greenbook: 4 Graphics connected by arrows: objective identified; controls designed; controls in place, objective achieved.  Source:  Gao | GAO-14-704G

GAO’s Green Book defines the standards for internal control in the federal government. The document provides an overall framework for establishing and maintaining an effective internal control system. The new edition of the Green Book, issued September 2014, retains the five components of internal control found in past editions, and presents 17 new principles that enumerate management responsibilities in implementing and overseeing an effective internal control system. Each principle has important characteristics, called attributes, which explain principles in greater detail.

The five components and 17 principles of internal control are:

portrait: Ellen van Schoten

Control Environment is the foundation for an internal control system. It provides the discipline and structure to help an entity achieve its objectives.

  • The oversight body and management should demonstrate a commitment to integrity and ethical values.
  • The oversight body should oversee the entity’s internal control system.
  • Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives.
  • Management should demonstrate a commitment to recruit, develop, and retain competent individuals.
  • Management should evaluate performance and hold individuals accountable for their internal control responsibilities.

Risk Assessment assesses the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses.

  • Management should define objectives clearly to enable the identification of risks and define risk tolerances.
  • Management should identify, analyze, and respond to risks related to achieving the defined objectives.
  • Management should consider the potential for fraud when identifying, analyzing, and responding to risks.
  • Management should identify, analyze, and respond to significant changes that could impact the internal control system.

Control Activities are the actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the entity’s information system.

  • Management should design control activities to achieve objectives and respond to risks.
  • Management should design the entity’s information system and related control activities to achieve objectives and respond to risks.
  • Management should implement control activities through policies.

Information and Communication refers to the quality information management and personnel communicate and use to support the internal control system.

  • Management should use quality information to achieve the entity’s objectives.
  • Management should internally communicate the necessary quality information to achieve the entity’s objectives.
  • Management should externally communicate the necessary quality information to achieve the entity’s objectives.

Monitoring includes activities management establishes and operates to assess the quality of performance over time and promptly resolve the findings of audits and other reviews.

  • Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results.
  • Management should remediate identified internal control deficiencies on a timely basis.

How can a SAI use the Green Book to Establish Internal Control Standards?

In order to improve its performance, an SAI can incorporate the concepts from the Green Book into their internal control standards. The Green Book can serve as a guide to design, implement, and operate internal controls to achieve its objectives related to operations, reporting, and compliance. Based on applicable laws and regulations, an SAI can determine how to appropriately adapt the standards presented in the Green Book as a framework for the organization.

Internal control is advantageous to a SAI in many ways. First, it provides management with added confidence regarding the achievement of objectives. Second, internal control provides feedback on how effectively an entity is operating. Finally, it helps reduce risks affecting the achievement of the entity’s objectives.


Internal control is a dynamic, iterative, and integrated process built into the day to day operations of an organization. The Green Book can be used as a resource for auditors to model criteria for an effective internal control system and use that criteria to audit government entities.

In addition, SAIs could, by using this tool, continually evaluate their own internal control system in order to improve performance.