HEADS OF DEPARTMENTS AND AGENCIES

United States General Accounting Office

Washington, DC 20548

February 2001

HEADS OF DEPARTMENTS AND AGENCIES

The Federal Managers’ Financial Integrity Act of 1982 requires, among other things, that theGeneral Accounting Office (GAO) issue standards for internal control in the federalgovernment. GAO first issued the standards in 1983. They became widely known throughoutthe government as the “Green Book.” Since then, changes in information technology,emerging issues involving human capital management, and requirements of recent financialmanagement-related legislation has prompted renewed focus on internal control.Consequently, GAO revised the standards and reissued them as Standards for InternalControl in the Federal Government (GAO/AIMD-00-21.3.1, November 1999). These standardsprovide the overall framework for establishing and maintaining internal control and foridentifying and addressing major performance challenges and areas at greatest risk for fraud,waste, abuse, and mismanagement.

We are issuing this Management and Evaluation Tool, which is based upon GAO’s Standardsfor Internal Control in the Federal Government, to assist agencies in maintaining orimplementing effective internal control and, when needed, to help determine what, where,and how improvements can be implemented. Although this tool is not required to be used, itis intended to provide a systematic, organized, and structured approach to assessing theinternal control structure. This tool, GAO’s Standards for Internal Control, and the Office ofManagement and Budget Circular A-123, Management Accountability and Control (RevisedJune 21, 1995), should be used concurrently. Judgment must be applied in the interpretationand application of this tool to enable a user to consider the impact of the completeddocument on the entire internal control structure.

To facilitate review, this Exposure Draft is located on the Internet on GAO’s Home Page(www.gao.gov) under “Other Publications.” Additional copies can be obtained from the U.S.General Accounting Office, Room 1100, 700 4th Street, NW, Washington, DC 20548, or bycalling (202) 512-6200, or TDD (202) 512-2537. Please send comments by May 15, 2001, toBruce K. Michelson, Assistant Director, Financial Management and Assurance Team, at theU.S. General Accounting Office, 441 G Street, NW, Room 5061, Washington, DC 20548.

Jeffrey C. SteinhoffManaging DirectorFinancial Management and Assurance

GAOUnited States General Accounting Office

Internal Control Standards

February 2001 Internal Control Management and Evaluation Tool

EXPOSURE DRAFT

GAO-01-131G

GAO-01-131G – Internal Control Management and Evaluation Tool ED (2/01)

CONTENTS

Introduction 3

Control Environment 7

Risk Assessment 21

Control Activities 31

Information and Communications 49

Monitoring 57

Overall Summary 65

Related Products 67

Abbreviations

CFO Chief Financial OfficerCOSO Committee of Sponsoring Organizations of the Treadway CommissionFAM Financial Audit ManualFFMIA Federal Financial Management Improvement Act of 1996FISCAM Federal Information System Controls Audit ManualFMFIA Federal Managers� Financial Integrity Act of 1982GAO General Accounting OfficeGPRA Government Performance and Results Act of 1993OMB Office of Management and Budget

GAO-01-131G – Internal Control Management and Evaluation Tool ED (2/01)Page 2

(BLANK)


INTRODUCTION

As federal managers strive to achieve their agency�s missions and goals and provideaccountability for their operations, they need to continually assess and evaluate their internalcontrol structure to assure that it is well designed and operated, appropriately updated to meetchanging conditions, and provides reasonable assurance that the objectives of the agency arebeing achieved. Specifically, managers need to examine internal control to determine how wellit is performing, how it may be improved, and the degree to which it helps identify and addressmajor risks for fraud, waste, abuse, and mismanagement.

This document is an Internal Control Management and Evaluation Tool. Although this tool isnot required to be used, it is intended to help management and evaluators determine how well anagency�s internal control is designed and functioning and help determine what, where, and howimprovements, when needed, may be implemented.

This tool is based upon the guidance provided in GAO�s Standards for Internal Control in theFederal Government (GAO/AIMD-00-21.3.1, issued November 1999). That document providescontext for the use and application of this tool. Consequently, users of this tool should befamiliar with the standards provided in that document. In addition, users should be experiencedstaff who are familiar with internal control terminology, the use of control activities andtechniques, and the overall application of internal control requirements.

The tool is presented in five sections corresponding to the five standards for internal control:control environment, risk assessment, control activities, information and communications, andmonitoring. Each section contains a list of major factors to be considered when reviewinginternal control as it relates to the particular standard. These factors represent some of the moreimportant issues addressed by the standard. Included under each factor are points and subsidiarypoints that users should consider when addressing the factor. The points and subsidiary pointsare intended to help users consider specific items that indicate the degree to which internalcontrol is functioning. Users should apply informed judgment when considering the specificpoints and subsidiary points to determine (1) the applicability of the point to the circumstances,(2) whether the agency has actually been able to implement, perform, or apply the point, (3) anycontrol weaknesses that may actually result, and (4) the extent to which the point impacts on theagency�s ability to achieve its mission and goals.

Space is provided beside each point and subsidiary point for the user to note comments orprovide descriptions of the circumstances affecting the issue. Comments and descriptionsusually will not be of the �yes/no� type, but will generally include information on how theagency does or does not address the issue. This tool is intended to help users reach a conclusionabout the agency�s internal control as it pertains to the particular standard. In this regard, a spaceis provided at the end of each section for the user to note the general overall assessment and toidentify actions that might need to be taken or considered. Additional space is provided for anoverall summary assessment at the end of the tool.


This tool could be useful in assessing internal control as it relates to the achievement of theobjectives in any of the three major control categories, i.e. effectiveness and efficiency ofoperations, reliability of financial reporting, and compliance with laws and regulations. It mayalso be useful with respect to the subset objective of safeguarding assets from fraud, waste,abuse, or misuse. In addition, the tool may be used when considering internal control as it relatesto any of the various activities of an agency, such as administration, human capital management,financial management, acquisition and procurement, provision of goods or services, etc.

Furthermore, the tool may be helpful in meeting the reporting requirements of the FederalManagers� Financial Integrity Act (FMFIA) of 1982. The FMFIA requires annual reporting onagency internal control. The Act directs the head of each executive agency to provide an annualstatement as to whether the agency�s internal control complies with the prescribed standards.Essentially, this requires the report to make a declaration as to the effectiveness of the internalcontrol. If the internal control does not comply with such requirements, the report is to identifymaterial weaknesses and the plans and schedule for correcting those weaknesses. Office ofManagement and Budget (OMB) Circular A-123, Management Accountability and Control,revised June 21, 1995, provides agencies guidance on how to satisfy the FMFIA reportingrequirements.1

It should be understood that this tool is not an authoritative part of the Standards for InternalControl. Rather, it is intended as a supplemental guide that federal managers and evaluators mayuse in assessing the effectiveness of internal control and identifying important aspects of controlin need of improvement. Users should keep in mind that this tool is a starting point and that itcan and should be modified to fit the circumstances, conditions, and risks relevant to thesituation of the agency. Not all of the points or subsidiary points need to be considered for everyagency or activity. Users should consider the relevant points and subsidiary points and delete oradd others as appropriate to their particular entity or circumstances. In addition, users shouldnote that this document follows the format of the Standards for Internal Control. Users mayrearrange or reorganize the points and subsidiary points to fit their particular needs or desires.

It should be further noted that this tool is not the only resource available for assessing internalcontrol. It should be used in conjunction with other resources such as the guidance provided inOMB Circular A-123, Management Accountability and Control, revised June 21, 1995.Financial statement auditors should follow GAO�s Financial Audit Manual (FAM),(GAO/AFMD-12.19.5A/B, December 1997), as amended. The FAM provides the process andmethodology the auditor is to follow when reviewing internal control in financial audits. Thefinancial auditor considers internal control primarily as it relates to financial reporting andcompliance with laws and regulations. Relating to internal control, the FAM focuses on theauditor�s identification and assessment of risk as it relates to the financial statement auditobjectives. On the other hand, this tool discusses internal control from a broader, overall entityperspective based on the internal control standards and focusing on management�s operationaland program objectives. Although the focus of each document is different, they arecomplementary.

1OMB Circular A-123 uses the term “management control,” whereas this document uses the term “internalcontrol.” GAO’s Internal Control Standards state that these terms are synonymous.


This Management and Evaluation Tool was developed using many different sources ofinformation and ideas. The primary source was, of course, GAO�s Standards for InternalControl in the Federal Government. Additional guidance was obtained from the �EvaluationTools� Section of Internal Control � Integrated Framework, by the Committee of SponsoringOrganizations of the Treadway Commission (COSO), issued in September 1992. Considerationwas given to the requirements of pertinent legislation including the Federal Managers� FinancialIntegrity Act (FMFIA) of 1982, the Chief Financial Officers Act of 1990, the GovernmentPerformance and Results Act (GPRA) of 1993, and the Federal Financial ManagementImprovement Act (FFMIA) of 1996. Further guidance was developed using prior GAOpublications including HUMAN CAPITAL: A Self-Assessment Checklist for Agency Leaders,Discussion Draft (GAO/GGD-99-179, September 1999) and the Federal Information SystemControls Audit Manual (FISCAM) (GAO/AIMD-12.19.6, January 1999). Finally, essentialmaterial was also developed based on the many years of experience of many GAO evaluatorsand analysts in reviewing and assessing federal agency internal control.

This publication is one in a series of documents issued by GAO to assist agencies in improvingor maintaining effective operations. See the last page of this document for a listing of relatedproducts.


(BLANK)


CONTROL ENVIRONMENT

According to the first internal control standard, which relates to control environment,management and employees should establish and maintain an environment throughout theorganization that sets a positive and supportive attitude toward internal control and conscientiousmanagement. There are several key factors that affect the accomplishment of this goal.Management and evaluators should consider each of these control environment factors whendetermining whether a positive control environment has been achieved. The factors that shouldbe focused on are listed below. The list is a beginning point. It is not all-inclusive and not everyitem will apply to every agency or activity within the agency. Even though some of thefunctions are subjective in nature and require the use of judgment, they are important inachieving control environment effectiveness.

Integrity and Ethical Values Comments/Descriptions

1. The agency has established and uses formal codes ofconduct and other policies communicating appropriateethical and moral behavioral standards and addressingacceptable operational practices and conflicts ofinterest. Consider the following:

� The codes are comprehensive in nature and directlyaddress issues such as improper payments,appropriate use of resources, conflicts of interest,political activities of employees, acceptance of giftsor foreign decorations, technical proficiency andcontinuing education, and use of due professionalcare.

� The codes are periodically acknowledged bysignature from all employees.

� Employees indicate that they know what kind ofbehavior is acceptable and unacceptable, know whatpenalties unacceptable behavior may bring, and whatto do if they become aware of unacceptable behavior.

2. An ethical tone has been established at the top of theorganization and has been communicated throughoutthe agency. Consider the following:



� Management fosters and encourages an agencyculture that emphasizes the importance of integrityand ethical values. This might be achieved throughoral communications in meetings, via one-on-onediscussions, and by example in day-to-day activities.

� Employees indicate that peer pressure exists forappropriate moral and ethical behavior.

� Management takes quick and appropriate action assoon as there are any signs that a problem may exist.

3. Dealings with employees, suppliers, insurers, auditors,Congress, the public, and others are conducted on ahigh ethical plane. Consider the following:

� Financial, budgetary, and operational reports toCongress and the public are proper and accurate (notintentionally misleading).

� Management cooperates with auditors and otherevaluators, does not attempt to hide known problemsfrom them, and values their comments andrecommendations.

� Underbillings by suppliers or overpayments by usersor customers are quickly corrected.

� The agency has a well-defined and understoodprocess for dealing with employee claims andconcerns in a timely and appropriate manner and noeffort is made to reject such claims.

4. Appropriate disciplinary action is taken in response todepartures from approved policies and procedures orviolations of the code of conduct. Consider thefollowing:

� Management takes action when there are violations ofpolicies, procedures, or the code of conduct.



� The types of disciplinary actions that can be taken arewidely communicated throughout the agency so thatothers know that if they behave improperly, they willface similar consequences.

5. Management appropriately addresses intervention oroverriding internal control. Consider the following:

� Guidance exists concerning the circumstances andfrequency with which intervention may be needed.

� Any intervention or overriding of internal control isfully documented as to reasons/specific actions taken.

� Overriding of internal control by low-levelmanagement personnel is prohibited when applicable.

6. Management removes temptation for unethicalbehavior. Consider the following:

� Management does not pressure employees to meetunrealistic performance goals.

� Management does not provide extreme incentives orother unfair or unnecessary temptations that testintegrity or adherence to ethical values.

� Compensation and promotion are based onachievements and performance.

Commitment to Competence Comments/Descriptions

1. Management has identified and defined the tasksrequired to accomplish particular jobs and fill thevarious positions. Consider the following:

� Management has analyzed the tasks that need to beperformed for particular jobs and given considerationto such things as the level of judgment required andthe extent of supervision necessary.


Commitment to Competence Comments/Descriptions

� Formal job descriptions or other means of identifyingand defining specific tasks required for job positionshave been established.

2. The agency has performed analyses of the knowledge,skills, and abilities needed to perform jobs in anappropriate manner. Consider the following:

� The knowledge, skills, and abilities needed forvarious jobs have been identified and made known toemployees.

� Evidence exists that the agency attempts to make surethat employees selected for various positions have therequisite knowledge, skills, and abilities.

3. The agency provides training and counseling in orderto help employees maintain and improve theircompetence for the job. Consider the following:

� There is an appropriate training program to meet theneeds of all employees.

� The agency emphasizes the need for continuingtraining and has a control mechanism to help ensurethat all employees actually received appropriatetraining.

� Performance appraisals are based on an assessment ofcritical job factors and clearly identify areas in whichthe employee is performing well and areas that needimprovement.

� Employees are provided candid and constructive jobperformance counseling.

4. Key senior-level employees have a demonstratedability in general management and extensive practicalexperience in operating governmental or businessentities.


Management�s Philosophy and Operating Style Comments/Descriptions

1. Management has an appropriate attitude toward risk-taking, and proceeds with new ventures, missions, oroperations only after carefully analyzing the risksinvolved and determining how they may be minimizedor mitigated.

2. Management enthusiastically endorses the use ofperformance-based management.

3. There has not been excessive personnel turnover in keyfunctions such as operations and programmanagement, accounting, or internal audit that wouldindicate a problem with the agency�s emphasis oninternal control. Consider the following:

� There has not been excessive turnover of supervisorypersonnel related to internal control problems, andthere is a strategy for dealing with turnover related toconstraints and limitations such as salary caps.

� Key personnel have not quit unexpectedly.

� There is no pattern to personnel turnover that wouldindicate a problem with the emphasis thatmanagement places in internal control.

4. Management has a positive and supportive attitudetoward the functions of accounting, informationmanagement systems, personnel operations,monitoring, and internal and external audits andevaluations. Consider the following:

� The financial accounting and budgeting operationsare considered essential to the well-being of theorganization and viewed as methods for exercisingcontrol over the entity�s various activities.

� Management regularly relies on accounting/financialdata from its systems for decision-making purposesand performance evaluation.

� If the accounting operation is decentralized, unitaccounting personnel also have responsibility tocentral financial officers.



� Both the financial accounting and budgetingoperations are under the direction of the ChiefFinancial Officer (CFO) and strong synchronizationand coordination exists between budgetary andproprietary financial accounting activities.

� Management looks to the information managementfunction for critical operating data and supportsefforts to make improvements in the systems astechnology advances.

� Personnel operations have a high priority and seniorexecutives emphasize the importance of good humancapital management.

� Management places a high degree of importance onthe work of the Inspector General, external audits,and other evaluations and studies and is responsive toinformation developed through such products.

5. Valuable assets and information are safeguarded fromunauthorized access or use.

6. There is frequent interaction between seniormanagement and operating/program management,especially when operating from geographicallydispersed locations.

7. Management has an appropriate attitude towardfinancial, budgetary, and operational/programaticreporting. Consider the following:

� Management is informed and involved in criticalfinancial reporting issues and supports a conservativeapproach toward the application of accountingprinciples and estimates.

� Management supports the disclosure of all financial,budgetary, and programmatic information needed tofully understand the operations and financialcondition of the agency.

� Management avoids focus on short-term reportedresults.



� Personnel do not submit inappropriate or inaccuratereports in order to meet targets.

� Facts are not exaggerated and budgetary estimates arenot stretched to a point of unreasonableness.

Organizational Structure Comments/Descriptions

1. The agency�s organizational structure is appropriatefor its size and the nature of its operations. Considerthe following:

� The organizational structure facilitates the flow ofinformation throughout the agency.

� The organizational structure is appropriatelycentralized or decentralized, given the nature of itsoperations, and management has clearly articulatedthe considerations and factors taken into account inbalancing the degree of centralization versusdecentralization.

2. Key areas of authority and responsibility are definedand communicated throughout the organization.Consider the following:

� Executives in charge of major activities or functionsare fully aware of their duties and responsibilities.

� An accurate organizational chart showing key areasof responsibility is provided to all employees.

� Executives and key managers understand theirinternal control responsibilities and ensure that theirstaff also understand their own responsibilities.

3. Appropriate and clear internal reporting relationshipshave been established. Consider the following:

� Reporting relationships have been established andeffectively provide managers information they needto carry out their responsibilities and perform theirjobs.


Organizational Structure Comments/Descriptions

� Employees are aware of the established reportingrelationships.

� Mid-level managers can easily communicate withsenior operating executives.

4. Management periodically evaluates the organizationalstructure and makes changes as necessary in responseto changing conditions.

5. The agency has the appropriate numbers of employees,particularly in managerial positions. Consider thefollowing:

� Managers and supervisors have time to carry out theirduties and responsibilities.

� Employees do not have to work excessive overtime oroutside the ordinary workweek to complete assignedtasks.

� Managers and supervisors are not fulfilling the rolesof more than one employee.

Assignment of Authority and Responsibility Comments/Descriptions

1. The agency appropriately assigns authority anddelegates responsibility to the proper personnel to dealwith organizational goals and objectives. Consider thefollowing:

� Authority and responsibility are clearly assignedthroughout the organization and this is clearlycommunicated to all employees.

� Responsibility for decision-making is clearly linkedto the assignment of authority and responsibility, andindividuals are held accountable accordingly.

� Along with increased delegation of authority andresponsibility, management has effective proceduresto monitor results.


Assignment of Authority and Responsibility Comments/Descriptions

2. Each employee knows how his or her actionsinterrelate to others considering the way in whichauthority and responsibilities are assigned, andemployees are aware of their related duties concerninginternal control. Consider the following:

� Job descriptions clearly indicate the degree ofauthority and accountability delegated to eachposition and the responsibilities assigned.

� Job descriptions and performance evaluations containspecific references to internal control related duties,responsibilities, and accountability.

3. The delegation of authority is appropriate in relationto the assignment of responsibility. Consider thefollowing:

� Employees at the appropriate levels are empowered tocorrect problems or implement improvements.

� There is an appropriate balance between thedelegation of authority at lower levels to �get the jobdone� and the involvement of senior-level personnel.

Human Resource Policies and Practices Comments/Descriptions

1. Policies and procedures are in place for hiring,orienting, training, evaluating, counseling, promoting,compensating, disciplining, and terminatingemployees. Consider the following:

� Management communicates information to recruitersabout the type of competencies needed for the workor participates in the hiring process.

� The agency has standards or criteria for hiringqualified people, with emphasis on education,experience, accomplishment, and ethical behavior.

� A training program has been established and includesorientation programs for new employees and ongoingtraining for all employees.



� Promotion, compensation, and rotation of employeesare based on periodic performance appraisals.

� Performance appraisals are linked to the goals andobjectives included in the agency�s strategic plan.

� The importance of integrity and ethical values arereflected in performance appraisal criteria.

� Employees are provided with appropriate feedbackand counseling on their job performance andsuggestions for improvements.

� Disciplinary or remedial action is taken in response toviolations of policies or ethical standards.

� Employment is terminated, following establishedpolicies, when performance is consistently belowstandards or there are significant and seriousviolations of policy.

� Management has established criteria for employeeretention and considers the effect upon operations iflarge numbers of employees are expected to leave orretire in a given time period.

2. Background checks are conducted on candidates foremployment. Consider the following:

� Candidates who change jobs often are givenparticularly close attention.

� Hiring standards require investigations for criminalrecords for all potential employees.

� References and previous employers are contacted.

� Educational and professional certifications areconfirmed.

3. Employees are provided a proper amount ofsupervision. Consider the following:



� Employees receive guidance, review, and on-the-jobtraining from supervisors to help ensure proper workflow and processing of transactions and events,reduce misunderstandings, and discourage wrongfulacts.

� Supervisory personnel ensure that staff are aware oftheir duties and responsibilities and management�sexpectations of them.

Oversight Groups Comments/Descriptions

1. Within the agency, there are mechanisms in place tomonitor and review operations and programs.Consider the following:

� An Inspector General, who is independent frommanagement, audits and reviews agency activities.

� The agency has an audit committee or seniormanagement council consisting of high-level line andstaff executives that review the internal audit workand coordinate closely with the Inspector General andexternal auditors.

� If there is an internal audit operation it reports to theagency head.2

� The internal audit function reviews that agency�sactivities and systems and provides information,analyses, appraisals, recommendations, and counselto management.

2. The agency works closely with executive branchoversight organizations. Consider the following:

� The agency has a good working relationship withOMB and agency officials, including the ChiefFinancial Officer, meet regularly with OMB officialsto discuss areas such as financial and budgetaryreporting, internal control, and management�sperformance.

2Agencies may or may not have an internal audit function separate and apart from the Inspector General.


Oversight Groups Comments/Descriptions

� High-level agency personnel maintain good workingrelationships with other executive branch agenciesthat exercise multi-agency control responsibilities,such as the Department of the Treasury, the GeneralServices Administration, and the Office of PersonnelManagement.

3. The agency maintains a close relationship withCongress in general and oversight committees inparticular. Consider the following:

� The agency provides Congress and oversightcommittees with timely and accurate information toallow monitoring of agency activities, includingreview of the agency�s (1) mission and goals, (2)performance reporting, and (3) financial position andoperating results.

� High-level agency officials meet regularly withcongressional and GAO staff to discuss major issuesaffecting operations, internal control, performance,and other major agency activities and programs.


Control Environment Summary SectionProvide General Conclusions and Actions Needed Here:


(BLANK)


RISK ASSESSMENT

The second internal control standard addresses risk assessment. A precondition to riskassessment is the establishment of clear, consistent agency goals and objectives at both the entitylevel and at the activity (program or mission) level. Once the objectives have been set, theagency needs to identify the risks that could impede the efficient and effective achievement ofthose objectives at the entity level and the activity level. Internal control should provide for anassessment of the risks the agency faces from both internal and external sources. Once riskshave been identified, they should be analyzed for their possible effect. Management then has toformulate an approach for risk management and decide upon the internal control activitiesrequired to mitigate those risks and achieve the internal control objectives of efficient andeffective operations, reliable financial reporting, and compliance with laws and regulations. Amanager or evaluator will focus on management's processes for objective setting, riskidentification, risk analysis, and management of risk during times of change. Listed below arefactors a user might consider. The list is a beginning point. It is not all-inclusive nor will everyitem apply to every agency or activity within the agency. Even though some of the functions andpoints may be subjective in nature and require the use of judgment, they are important inperforming risk assessment.

Establishment of Entitywide Objectives Comments/Descriptions

1. The agency has established entitywide objectives thatprovide sufficiently broad statements and guidanceabout what the agency is supposed to achieve, yet arespecific enough to relate directly to the agency.Consider the following:

� Management has established overall entitywideobjectives in the form of mission, goals, andobjectives, such as those defined in strategic andannual performance plans developed under theGPRA.

� The entitywide objectives relate to and stem fromprogram requirements established by legislation.

� The entitywide objectives are specific enough toclearly apply to the agency instead of applying to allagencies.

2. Entitywide objectives are clearly communicated to allemployees, and management obtains feedbacksignifying that the communication has been effective.


Establishment of Entitywide Objectives Comments/Descriptions

3. There is a relationship and consistency between theagency�s operational strategies and the entitywideobjectives. Consider the following:

� Strategic plans support the entitywide objectives.

� Strategic plans address resource allocations andpriorities.

� Strategic plans and budgets are designed with anappropriate level of detail for various managementlevels.

� Assumptions made in strategic plans and budgets areconsistent with the agency�s historical experience andcurrent circumstances.

4. The agency has established an integrated managementstrategy and risk assessment plan that considers theentitywide objectives and relevant sources of risk frominternal management factors and external sources andestablishes a control structure to address those risks.

Establishment of Activity-Level Objectives Comments/Descriptions

1. Activity-level (program or mission-level) objectivesflow from and are linked with the agency�s entitywideobjectives and strategic plans. Consider the following:

� All significant activities are adequately linked to theentitywide objectives and strategic plans.

� Activity-level objectives are reviewed periodically toassure that they have continued relevance.

2. Activity-level objectives are complementary, reinforceeach other and are not contradictory.

3. The activity-level objectives are relevant to allsignificant agency processes. Consider the following:

� Objectives have been established for all the keyoperational activities and the support activities.


Establishment of Activity-Level Objectives Comments/Descriptions

� Activity-level objectives are consistent with effectivepast practices and performance and are consistentwith any industry or business norms that may beapplicable to the operations of the agency.

4. Activity-level objectives include measurement criteria.

5. Agency resources are adequate relative to the activity-level objectives. Consider the following:

� The resources needed to meet the objectives havebeen identified.

� If adequate resources are not available, managementhas plans to acquire them.

6. Management has identified those activity-levelobjectives that are critical to the success of the overallentitywide objectives. Consider the following:

� Management has identified the things that must occuror happen if the entitywide objectives are to be met.

� The critical activity-level objectives receive particularattention and review from management and theirperformance is monitored regularly.

7. All levels of management are involved in establishingthe activity-level objectives and are committed to theirachievement.

Risk Identification Comments/Descriptions

1. Management comprehensively identifies risk usingvarious methodologies as appropriate. Consider thefollowing:

� Qualitative and quantitative methods are used toidentify risk and determine relative risk rankings on ascheduled and periodic basis.

� How risk is to be identified, ranked, analyzed, andmitigated is communicated to appropriate staff.



� Risk identification and discussion occur in senior-level management conferences.

� Risk identification takes place as a part of short andlong-term forecasting and strategic planning.

� Risk identification occurs as a result of considerationof findings from audits, evaluations, and otherassessments.

2. Adequate mechanisms exist to identify risks to theagency arising from external factors. Consider thefollowing:

� The agency considers the risks associated withtechnological advancements and developments.

� Consideration is given to risks arising from thechanging needs or expectations of Congress, agencyofficials, and the public.

� Risks posed by new legislation or regulations areidentified.

� Risks to the agency as a result of possible naturalcatastrophes are taken into account.

� Identification of risks resulting from business,political, and economic changes are determined.

� Consideration is given to the risks associated withmajor suppliers and contractors.

� The agency carefully considers any risks resultingfrom its interactions with various other entities andoutside parties.

3. Adequate mechanisms exist to identify risks to theagency arising from internal factors. Consider thefollowing:

� Risks resulting from downsizing of agency operationsand personnel are considered.



� The agency identifies risks associated withreengineering of operating processes.

� Consideration is given to risks posed by disruption ofinformation systems processing and the extent towhich backup systems are available and can beimplemented.

� The agency identifies any potential risks due to highlydecentralized program operations.

� Consideration is given to possible risks resulting fromthe lack of qualifications of personnel hired or theextent to which they have been trained.

� Risks resulting from heavy reliance on contractors orother related parties to perform critical agencyoperations are identified.

� The agency identifies any risks that might beassociated with major changes in managerialresponsibilities.

� Risks resulting from unusual employee access tovulnerable assets are considered.

� Risk identification activities consider certain humancapital related risks, such as the ability to providesuccession planning and retain key managementpersonnel who can affect the ability of the agency tofunction effectively, and the adequacy ofcompensation and benefit programs to keep theagency competitive with the private sector for labor.

� Risks related to the availability of future funding fornew programs or the continuation of current programsare assessed.

4. In identifying risk, management assesses other factorsthat may contribute to or increase the risk to which theagency is exposed. Consider the following:



� Management considers any risks related to pastfailures to meet agency missions, goals, or objectivesor failures to meet budget limitations.

� Consideration is given to risks indicated by a historyof improper program expenditures, violations offunds control, or other statutory noncompliance.

� The agency identifies any risks inherent to the natureof its mission or to the significance and complexity ofany specific programs or activities it undertakes.

5. Management identifies risks both entitywide and foreach significant activity-level of the agency.

Risk Analysis Comments/Descriptions

1. After the risks to the agency have been identified,management undertakes a thorough and completeanalysis of their possible effect. Consider thefollowing:

� Management has established a formal process toanalyze risks or the analysis is done informally viaday-to-day management activities.

� Criteria has been established for determining low,medium, and high risks.

� Appropriate levels of management and employees areinvolved in the risk analysis.

� The risks identified and analyzed are relevant to thecorresponding activity objective.

� Risk analysis includes estimating the risk�ssignificance.

� Risk analysis includes estimating the likelihood andfrequency of occurrence of each risk and determiningwhether it falls into the low, medium, or high riskcategory.


Risk Analysis Comments/Descriptions

� A determination is made on how best to manage ormitigate the risk and what specific actions should betaken.

2. Management has developed an approach for riskmanagement and control based on how much risk canbe prudently accepted. Consider the following:

� The approach can vary from one agency to anotherdepending upon variances in risks and how much riskcan be tolerated, but seems appropriate to the agency.

� The approach is designed to keep risks within levelsjudged to be appropriate and management takesresponsibility for setting the tolerable risk level.

� Specific control activities are decided upon to manageor mitigate specific risks entitywide and at eachactivity level, and their implementation is monitored.

Managing Risk During Change Comments/Descriptions

1. The agency has mechanisms in place to anticipate,identify, and react to risks presented by changes ingovernmental, economic, industry, regulatory,operating, or other conditions that can affect theachievement of entitywide or activity-level goals andobjectives. Consider the following:

� All activities within the agency that might besignificantly affected by changes are considered inthe process.

� Routine changes are addressed through theestablished risk identification and analysis processes.

� Risks resulting from conditions that are significantlychanging are addressed at sufficiently high levelswithin the agency so that their full impact on theorganization is considered and appropriate actions aretaken.


Managing Risk During Change Comments/Descriptions

2. The agency gives special attention to risks presented bychanges that can have a more dramatic and pervasiveeffect on the entity and may demand the attention ofsenior officials. Consider the following:

� The agency is especially attentive to risks caused bythe hiring of new personnel to occupy key positionsor by high personnel turnover in any particular area.

� Mechanisms exist to assess the risks posed by theintroduction of new or changed information systemsand risks involved in training employees to use thenew systems and to accept the changes.

� Management gives special consideration to the riskspresented by rapid growth and expansion or rapiddownsizing and the effects on systems capabilitiesand revised strategic plans, goals, and objectives.

� Consideration is given to the risks involved whenintroducing major new technological developmentsand applications and incorporating them into theoperating processes.

� The risks are extensively analyzed whenever theagency begins the production or provision of newoutputs or services.

� Risks resulting from the establishment of operationsin a new geographical area are assessed.


Risk Assessment Summary SectionProvide General Conclusions and Actions Needed Here:


(BLANK)


CONTROL ACTIVITIES

The third internal control standard addresses control activities. Internal control activities are thepolicies, procedures, techniques, and mechanisms that help ensure that management�s directivesto mitigate risks identified during the risk assessment process are carried out. Control activitiesare an integral part of the agency�s planning, implementing, and reviewing. They are essentialfor proper stewardship and accountability for government resources and for achieving effectiveand efficient program results.

Control activities occur at all levels and functions of the agency. They include a wide range ofdiverse activities, such as approvals, authorizations, verifications, reconciliations, performancereviews, security activities, and the production of records and documentation. A manager orevaluator should focus on control activities in the context of the agency�s management directivesto address risks associated with established objectives for each significant activity (program ormission). Therefore, a manager or evaluator will consider whether control activities relate to therisk-assessment process and whether they are appropriate to ensure that management's directivesare carried out. In assessing the adequacy of internal control activities, a reviewer shouldconsider whether the proper control activities have been established, whether they are sufficientin number, and the degree to which those activities are operating effectively. This should be donefor each significant activity. This analysis and evaluation should also include controls overcomputerized information systems. A manager or evaluator should consider not only whetherestablished control activities are relevant to the risk-assessment process, but also whether theyare being applied properly.

The control activities put into place in a given agency may vary considerably from those used ina different agency. This difference may occur because of the (1) variations in missions, goals,and objectives of the agencies; (2) differences in their environment and manner in which theyoperate; (3) variations in degree of organizational complexity; (4) differences in agency historiesand culture; and (5) differences in the risks that the agencies face and are trying to mitigate. It isprobable that, even if two agencies did have the same missions, goals, objectives, andorganizational structures, they would employ different control activities. This is becausedifferent people who apply their own individual judgment in implementing internal controlwould manage them. All of these factors affect an agency�s internal control activities, whichshould be designed accordingly to contribute to the achievement of the agency�s missions, goals,and objectives.

Given the wide variety of control activities that agencies may employ, it would be impossible forthis tool to address them all. However, there are some general, overall points to be considered bymanagers and evaluators, as well as several major categories or types of control activity factorsthat are applicable at various levels throughout practically all federal agencies. In addition, thereare some control activity factors specifically designed for information systems. These factorsand related points and subsidiary points are listed below as examples of issues to be considered.They are meant to illustrate the range and variety of control activities that are typically used.The list is a beginning point. It is not all-inclusive, and not every point or subsidiary point may


apply to every agency or activity within the agency. Even though some of the functions andpoints may be subjective in nature and require the use of judgment, they are important inassessing the appropriateness of the agency�s internal control activities.

General Application Comments/Descriptions

1. Appropriate policies, procedures, techniques, andmechanisms exist with respect to each of the agency�sactivities. Consider the following:3

� All relevant objectives and associated risks for eachsignificant activity have been identified in relation tothe risk assessment and analysis function of internalcontrol.

� Management has identified the actions and controlactivities needed to address the risks and directedtheir implementation.

2. The control activities identified as necessary are inplace and being applied. Consider the following:

� Control activities described in policy and proceduresmanuals are actually applied and applied properly.

� Supervisors and employees understand the purpose ofinternal control activities.

� Supervisory personnel review the functioning ofcontrol activities.

� Timely action is take on exceptions, implementationproblems, or information that requires follow-up.

Common Categories of Control Activities Comments/Descriptions

1. Top-Level Reviews � Management tracks majoragency achievements in relation to its plans. Considerthe following:

3In determining the adequacy of control activities and the relationship to risk assessment processes,reviewers will need to exercise professional judgment in considering the particular factors affectingcontrol discussed in the introductory material to this section as well as the risks common to all types ofgovernment activities as addressed by the controls indicated in the following material under “CommonCategories of Control Activities.”



� Top-level management regularly reviews actualperformance against budgets, forecasts, and priorperiod results.

� Top management is involved in developing 5-yearand annual performance plans and targets inaccordance with GPRA and measuring and reportingresults against those plans and targets.

� Major agency initiatives are tracked for targetachievement and follow-up actions taken.

2. Management Reviews at the Functional or ActivityLevel � Agency managers review actual performanceagainst targets. Consider the following:

� Managers at all activity levels review performancereports, analyze trends, and measure results againsttargets.

� Both financial and program managers review andcompare financial, budgetary, and operationalperformance to planned or expected results.

� Appropriate control activities are employed, such asreconciliations of summary information to supportingdetail and checking the accuracy of summarizationsof operations.

3. Management of Human Capital � The agencyeffectively manages the organization�s workforce toachieve results. Consider the following:4

� There is a clear and coherent shared vision of theagency�s mission, goals, values, and strategies that isexplicitly identified in the strategic plan, annualperformance plan, and other guiding documents, andthat view has been clearly and consistentlycommunicated to all employees.

4For more detailed information about items to look for and consider, see GAO publication HUMANCAPITAL: A Self-Assessment Checklist for Agency Leaders, Discussion Draft (GAO/GGD-99-179,September 1999).



� The agency has a coherent human capital strategy, asevidenced in its strategic plan, performance plan, orseparate human capital planning document; and thatstrategy encompasses human capital policies,programs, and practices to guide the agency.

� The agency has a specific and explicit workforceplanning strategy, linked to the overall strategic plan,and that allows for identification of current and futurehuman capital needs.

� The agency has defined the type of leaders it wantsthrough written descriptions of roles, responsibilities,attributes, and competencies and has establishedbroad performance expectations for them.

� Senior leaders and managers attempt to buildteamwork, reinforce the shared vision of the agency,and encourage feedback from employees, asevidenced by actions taken to communicate this to allemployees and the existence of opportunities formanagement to obtain feedback.

� The agency�s performance management system isgiven a high priority by top-level officials, and it isdesigned to guide the workforce to achieve theagency�s shared vision/mission.

� Procedures are in place to ensure that personnel withappropriate competencies are recruited and retainedfor the work of the agency, including a formalrecruiting and hiring plan with explicit links to skillneeds the agency has identified.

� Employees are provided orientation, training, andtools to perform their duties and responsibilities,improve their performance, enhance their capabilities,and meet the demands of changing organizationalneeds.

� The compensation system is adequate to acquire,motivate, and retain personnel, and incentives andrewards are provided to encourage personnel toperform at maximum capability.



� The agency provides workplace flexibilities, services,and facilities (e.g., career counseling, flextime,casual-dress days, and child-care) to help it competefor talent and enhance employee satisfaction andcommitment.

� Qualified and continuous supervision is provided toensure that internal control objectives are being met.

� Meaningful, honest, constructive performanceevaluation and feedback are provided to helpemployees understand the connection between theirperformance and the achievement of the agency�sgoals.

� Management conducts succession planning to ensurecontinuity of needed skills and abilities.

4. Information Processing � The agency employs avariety of control activities suited to informationprocessing systems to ensure accuracy andcompleteness. Consider the following:5

� Edit checks are used in controlling data entry.

� Accounting for transactions is performed in numericalsequences.

� File totals are compared with control accounts.

� Exceptions or violations indicated by other controlactivities are examined and acted upon.

� Access to data, files, and programs are appropriatelycontrolled.

5. Physical Control Over Vulnerable Assets � The agencyemploys physical control to secure and safeguardvulnerable assets. Consider the following:

5Further guidance on control activities for information processing is provided below under “ControlActivities Specific for Information Systems.” In addition, see the GAO FISCAM.



� Physical safeguarding policies and procedures havebeen developed, implemented, and communicated toall employees.

� The agency has developed a disaster recovery plan,which is regularly updated and communicated toemployees.

� The agency has developed a plan for the identificationof and protection of any critical infrastructure assets.6

� Assets that are particularly vulnerable to loss, theft,damage, or unauthorized use, such as cash, securities,supplies, inventories, and equipment, are physicallysecured and access to them controlled.

� Assets such as cash, securities, supplies, inventories,and equipment are periodically counted andcompared to control records and exceptionsexamined.

� Cash and negotiable securities are maintained underlock and key and access to them strictly controlled.

� Forms such as blank checks and purchase orders arephysically secured and access to them controlled.

� Mechanical check signers and signature plates arephysically protected and access to them strictlycontrolled.

� Equipment vulnerable to theft is securely fastened orprotected in some other manner.

� Identification plates and numbers are affixed to officefurniture and fixtures, equipment, and other portableassets.

6Critical infrastructure assets are those assets of physical and cyber-based systems that are essential to theminimum operations of the economy and government. In accordance with the Presidential DecisionDirective No. 63, dated May 22, 1998, each federal agency is responsible for identifying its own criticalinfrastructure and developing a protection plan for it.



� Inventories, supplies, and finished items/goods arestored in physically secured areas and protected fromdamage.

� Facilities are protected from fire by fire alarms andsprinkler systems.

� Access to premises and facilities is controlled byfences, guards, and/or other physical controls.

� Access to facilities is restricted and controlled duringnonworking hours.

6. Performance Measures and Indicators � The agencyhas established and monitors performance measuresand indicators. Consider the following:

� Performance measures and indicators have beenestablished throughout the organization at theentitywide, activity, and individual level.

� The agency periodically reviews and validates thepropriety and integrity of both organizational andindividual performance measures and indicators.

� Performance measurement assessment factors areevaluated to ensure that they are linked to mission,goals, and objectives, and that they are balanced andset the appropriate incentives for achieving goalswhile complying with law, regulations, and ethicalstandards.

� Actual performance data are continually comparedand analyzed against expected or planned goals.

� Comparisons and assessments are made relatingdifferent sets of data to one another so that analysesof the relationships can be made and correctiveactions can be taken if necessary.

� Investigation of unexpected results or unusual trendsleads to identification of circumstances whereachievement of goals and objectives may bethreatened and corrective action taken.



� Analysis and review of performance measures andindicators are used for both operational and financialreporting control purposes.

7. Segregation of Duties � Key duties and responsibilitiesare divided or segregated among different people toreduce the risk of error, waste, or fraud. Consider thefollowing:

� No one individual is allowed to control all keyaspects of a transaction or event.

� Responsibilities and duties involving transactions andevents are separated among different employees withrespect to authorization, approval, processing andrecording, making payments or receiving funds,review and auditing, and the custodial functions andhandling of related assets.

� Duties are assigned systematically to a number ofindividuals to ensure that effective checks andbalances exist.

� The responsibility for opening mail is assigned toindividuals who have no responsibilities for or accessto files or documents pertaining to accountsreceivable or cash accounts.

� Bank accounts are reconciled by employees who haveno responsibilities for cash receipts, disbursements, orcustody.

� Management is aware that collusion can reduce ordestroy the control effectiveness of segregation ofduties and, therefore, is especially alert for it andattempts to reduce the opportunities for it to occur.

8. Execution of Transactions and Events � Transactionsand other significant events are authorized andperformed by the appropriate personnel. Consider thefollowing:



� Controls ensure that only valid transactions toexchange, transfer, use, or commit resources andother events are initiated or entered into, inaccordance with management�s decisions anddirectives and for specified purposes under specificconditions.

� Controls are established to ensure that all transactionsand other significant events that are entered into areauthorized and executed only by employees actingwithin the scope of their authority.

� Authorizations are clearly communicated to managersand employees and include the specific conditionsand terms under which authorizations are to be made.

� The terms of authorizations are in accordance withdirectives and within limitations established by law,regulation, and management.

9. Recording of Transactions and Events � Transactionsand other significant events are properly classified andpromptly recorded. Consider the following:

� Transactions and events are appropriately classifiedand promptly recorded so that they maintain theirrelevance, value, and usefulness to management incontrolling operations and making decisions.

� Proper classification and recording take placethroughout the entire life cycle of each transaction orevent including (1) initiation and authorization, (2) allaspects of the transaction or event while in process,and (3) the final classification in summary records.

� Proper classification of transactions and eventsincludes appropriate organization and format ofinformation on original documents (hardcopy paperor electronic) and summary records from whichreports and statements are prepared.

� Excessive adjustments to numbers or accountclassifications are not necessary prior to finalizationof financial reports.



10. Access Restrictions to and Accountability forResources and Records � Access to resources andrecords is limited and accountability for their custodyis assigned. Consider the following:

� The risk of unauthorized use or loss is controlled byrestricting access to resources and records only toauthorized personnel.

� Accountability for resources and records custody anduse is assigned to specific individuals.

� Access restrictions and accountability assignments forcustody are reviewed and maintained on a regularperiodic basis.

� Periodic comparison of resources with the recordedaccountability is made to determine if the two agree,and differences are examined.

� How frequently actual resources are compared torecords and the degree of access restrictions arefunctions of the vulnerability of the resource to therisk of errors, fraud, waste, misuse, or unauthorizedalteration.

� Management considers such factors as asset value,portability, and exchangeability when determining theappropriate degree of access restrictions.

� As a part of assigning and maintaining accountabilityfor resources and records, management informs andcommunicates those responsibilities to specificindividuals within the agency and assures that thosepeople are aware of their duties for appropriatecustody and use of those resources.

11. Documentation � Internal Control and all transactionsand other significant events are clearly documented.Consider the following:

� Written documentation exists for the agency�sinternal control structure and all significanttransactions and events.



� The documentation is readily available forexamination.

� The documentation for internal control includesidentification of the agency�s activity-level functionsand related objectives and control activities andappears in management directives, administrativepolicies, accounting manuals, and other suchmanuals.

� Documentation of transactions and other significantevents is complete and accurate and facilitates tracingthe transaction or event and related information frombefore it occurs, through its processing, to after it iscompleted.

� Documentation, whether in paper or electronic form,is useful to managers in controlling their operationsand to auditors and others involved in analyzingoperations.

� All documentation and records are properly managed,maintained, and periodically updated.


Control Activities Specific for Information Systems � General Control

As stated in the introduction to the Control Activities Section, there are some control activityfactors specifically designed for information systems. As discussed in the standard, there are twobroad groupings of information systems control � general control and application control.General control includes the structure, policies, and procedures that apply to the agency�s overallcomputer operations. It applies to all information systems � mainframe, minicomputer, network,and end-user environments. General control creates the environment in which the agency�sapplication systems operate. General control activities are presented first followed byapplication control activities.

There are six major factors or categories of control activities that need to be considered by theuser when evaluating general control: entitywide security management program, access control,application software development and change, system software control, segregation of duties,and service continuity. The factors and related points and some subsidiary points are listedbelow as examples of issues to be considered. They are meant to illustrate the range and varietyof general control activities that are typically used and are not all-inclusive. Users should referto the listing of critical elements and control activities pertaining to general control provided inGAO�s Federal Information System Controls Audit Manual (FISCAM) (GAO/AIMD-12.19.6,January 1999). The list provided below summarizes the list provided in the FISCAM; however,users should refer to the FISCAM for more detailed guidance in performing their evaluation andanalysis.

Entitywide Security Management Program Comments/Descriptions

1. The agency periodically performs a comprehensive,high-level assessment of risks to its informationsystems. Consider the following:

� Risk assessments are performed and documented on aregular basis and whenever systems, facilities, orother conditions change.

� Risk assessments consider data sensitivity andintegrity.

� Final risk determinations and management approvalsare documented and kept on file.

2. The agency has developed a plan that clearly describesthe entitywide security program and policies andprocedures that support it.


Entitywide Security Management Program Comments/Descriptions

3. Senior management has established a structure toimplement and manage the security programthroughout the agency, and security responsibilitiesare clearly defined.

4. The agency has implemented effective security-relatedpersonnel policies.

5. The agency monitors the security program�seffectiveness and makes changes as needed. Considerthe following:

� Management periodically assesses theappropriateness of security policies and compliancewith them.

� Corrective actions are promptly and effectivelyimplemented, tested, and monitored on a continuingbasis.

Access Control Comments/Descriptions

1. The agency classifies information resources accordingto their criticality and sensitivity. Consider thefollowing:

� Resource classifications and related criteria have beenestablished and communicated to resource owners.

� Resource owners have classified their informationresources based on the approved criteria and withregard to risk determinations and assessments andhave documented those classifications.

2. Resource owners have identified authorized users andtheir access to the information has been formallyauthorized.

3. The agency has established physical and logicalcontrols to prevent or detect unauthorized access.


Access Control Comments/Descriptions

4. The agency monitors information systems access,investigates apparent violations, and takes appropriateremedial and disciplinary action.

Application Software Development and ChangeControl

Comments/Descriptions

1. Information system processing features and programmodifications are properly authorized.

2. All new or revised software is thoroughly tested andapproved.

3. The agency has established procedures to ensurecontrol of its software libraries, including labeling,access restrictions, and use of inventories and separatelibraries.

System Software Control Comments/Descriptions

1. The agency limits access to system software based onjob responsibilities, and access authorization isdocumented.

2. Access to and use of system software is controlled andmonitored.

3. The agency controls changes made to the systemsoftware.

Segregation of Duties Comments/Descriptions

1. Incompatible duties have been identified and policiesimplemented to segregate those duties.

2. Access controls have been established to enforcesegregation of duties.

3. The agency exercises control over personnel activitiesthrough the use of formal operating procedures,supervision, and review.


Service Continuity Comments/Descriptions

1. The criticality and sensitivity of computerizedoperations have been assessed and prioritized, andsupporting resources have been identified.

2. The agency has taken steps to prevent and minimizepotential damage and interruption through the use ofdata and program backup procedures, environmentalcontrols, staff training, and hardware maintenanceand management.

3. Management has developed and documented acomprehensive contingency plan.

4. The agency periodically tests the contingency plan andadjusts it as appropriate.


Control Activities Specific for Information Systems � Application Control

Application control covers the structure, policies, and procedures designed to help ensurecompleteness, accuracy, authorization, and validity of all transactions during applicationprocessing. It includes both the routines contained within the computer program code as well asthe policies and procedures associated with user activities, such as manual measures performedby the user to determine that the data were processed accurately by the computer.

There are four major factors or categories of control activities that need to be considered by theuser when evaluating application control: authorization control, completeness control, accuracycontrol, and control over integrity of processing and data files. The factors and related pointsand some subsidiary points are listed below as examples of issues to be considered. They aremeant to illustrate the range and variety of application control activities that are typically usedand are not all-inclusive. In the future, application control evaluation and testing will beaddressed in Chapter 4 of GAO�s Federal Information System Controls Audit Manual (FISCAM)(GAO/AIMD-12.19.6, January 1999). That chapter is currently under development and isexpected to be issued with the first update of the FISCAM. However, the list of factors, points,and subsidiary points provided below generally follows the guidance expected to be issued in theFISCAM. Users should refer to the FISCAM Chapter 4, when issued, for more detailedguidance in performing their evaluation and analysis.

Authorization Control Comments/Descriptions

1. Source documents are controlled and requireauthorization. Consider the following:

� Access to blank source documents is restricted.

� Source documents are pre-numbered sequentially.

� Key source documents require authorizing signatures.

� For batch application systems, batch control sheetsare used providing information such as date, controlnumber, number of documents, and control totals forkey fields.

� Supervisory or independent review of data occursbefore it is entered into the application system.

2. Data entry terminals have restricted access.

3. Master files and exception reporting are used to ensurethat all data processed are authorized.


Completeness Control Comments/Descriptions

1. All authorized transactions are entered into andprocessed by the computer.

2. Reconciliations are performed to verify datacompleteness.

Accuracy Control Comments/Descriptions

1. The agency�s data entry design features contribute todata accuracy.

2. Data validation and editing are performed to identifyerroneous data.

3. Erroneous data are captured, reported, investigated,and corrected.

4. Output reports are reviewed to help maintain dataaccuracy and validity.

Control Over Integrity ofProcessing and Data Files

Comments/Descriptions

1. Procedures ensure that the current version ofproduction programs and data files are used duringprocessing.

2. Programs include routines to verify that the properversion of the computer file is used during processing.

3. Programs include routines for checking internal fileheader labels before processing.

4. The application protects against concurrent fileupdates.


Control Activities Summary SectionProvide General Conclusions and Actions Needed Here:


INFORMATION AND COMMUNICATIONS

According to the fourth internal control standard, for an agency to run and control its operations,it must have relevant, reliable information, both financial and nonfinancial, relating to external aswell as internal events. That information should be recorded and communicated to managementand others within the agency who need it and in a form and within a time frame that enablesthem to carry out their internal control and operational responsibilities. In addition, the agencyneeds to make sure that the forms of communications are broad-based and that informationtechnology management assures useful, reliable, and continuous communications. Managers andevaluators should consider the appropriateness of information and communication systems to theentity's needs and the degree to which they accomplish the objectives of internal control. Listedbelow are factors a user might consider. The list is a beginning point. It is not all-inclusive, norwill every item apply to every agency or activity within the agency. Even though some of thefunctions and points may be subjective in nature and require the use of judgment, they areimportant in collecting appropriate data and information and in establishing and maintaininggood communications.

Information Comments/Descriptions

1. Information from internal and external sources isobtained and provided to management as a part of theagency�s reporting on operational performancerelative to established objectives. Consider thefollowing:

� Internally generated information critical to achievingthe agency�s objectives, including informationrelative to critical success factors, is identified andregularly reported to management.

� The agency obtains and reports to management anyrelevant external information that may affect theachievement of its missions, goals, and objectives,particularly that related to legislative or regulatorydevelopments and political or economic changes.

� Internal and external information needed by managersat all levels is reported to them.

2. Pertinent information is identified, captured, anddistributed to the right people in sufficient detail, inthe right form, and at the appropriate time to enablethem to carry out their duties and responsibilitiesefficiently and effectively. Consider the following:


Information Comments/Descriptions

� Managers receive analytical information that helpsthem identify specific actions that need to be taken.

� Information is provided at the right level of detail fordifferent levels of management.

� Information is summarized and presentedappropriately and provides pertinent informationwhile permitting a closer inspection of details asneeded.

� Information is available on a timely basis to alloweffective monitoring of events, activities, andtransactions and allow prompt reaction.

� Program managers receive both operational andfinancial information to help them determine whetherthey are meeting the strategic and annual performanceplans and meeting the agency�s goals foraccountability of resources.

� Operational information is provided to managers sothat they may determine whether their programscomply with applicable laws and regulations.

� The appropriate financial and budgetary informationis provided for both internal and external financialreporting.

Communications Comments/Descriptions

1. Management ensures that effective internalcommunications occur. Consider the following:

� Top management provides a clear messagethroughout the agency that internal controlresponsibilities are important and must be takenseriously.



� Employees� specific duties are clearly communicatedto them and they understand the relevant aspects ofinternal control, how their role fits into it, and howtheir work relates to the work of others.

� Employees are informed that when the unexpectedoccurs in performing their duties, attention must begiven not only to the event, but also to the underlyingcause, so that potential internal control weaknessescan be identified and corrected before they can dofurther harm to the agency.

� Acceptable behavior versus unacceptable behaviorand the consequences of improper conduct are clearlycommunicated to all employees.

� Personnel have a means of communicatinginformation upstream within the agency throughsomeone other than a direct supervisor, and there is agenuine willingness to listen on the part ofmanagement.

� Mechanisms exist to allow the easy flow ofinformation down, across, and up the organization,and easy communications exist between functionalactivities such as between procurement activities andproduction activities.

� Employees indicate that informal or separate lines ofcommunications exist which serve as a �fail-safe�control for normal communications avenues.

� Personnel understand that there will be no reprisalsfor reporting adverse information, improper conduct,or circumvention of internal control activities.

� Mechanisms are in place for employees torecommend improvements in operations, andmanagement acknowledges good employeesuggestions with cash awards or other meaningfulrecognition.



� Management communicates frequently with internaloversight groups, such as senior managementcouncils, and keeps them informed of performance,risks, major initiatives, and any other significantevents.

2. Management ensures that effective externalcommunications occur with groups that can have aserious impact on programs, projects, operations, andother activities, including budgeting and financing.Consider the following:

� Open and effective communications channels havebeen established with customers, suppliers,contractors, consultants, and other groups that canprovide significant input on quality and design ofagency products and services.

� All outside parties dealing with the agency are clearlyinformed of the agency�s ethical standards and alsounderstand that improper actions, such as improperbillings, kickbacks, or other improper payments, willnot be tolerated.

� Communications from external parties, such as otherfederal agencies, state and local governments, andother related third parties, is encouraged since it canbe a source of information on how well internalcontrol is functioning.

� Agencies communicating with external groups aboutcontroversial issues have a way to assure compliancewith the Federal Advisory Committee Act.

� Complaints or other inquires, especially thoseconcerning services, such as shipments, receipts, andbillings, are welcomed since they can serve to pointout problems with control.

� Management makes certain that the advice andrecommendations of Inspectors General and otherauditors and evaluators are fully considered and thatactions are implemented to correct any problems orweaknesses they identify.



� Communications with the Congress, OMB, Treasury,other federal agencies, state and local governments,the media, the public, and others provide informationrelevant to the requestors� needs so that they canbetter understand the agency�s mission, goals, andobjectives, better understand the risks facing theagency, and thus better understand the agency.

Forms and Means of Communications Comments/Descriptions

1. The agency employs many and various forms andmeans of communicating important information withemployees and others. Consider the following:

� Management uses effective communications methods,which may include policy and procedures manuals,management directives, memoranda, bulletin boardnotices, internet and intranet web pages, videotapedmessages, e-mail, and speeches.

� One of the most powerful forms of communicationsused by management is the positive actions it takes indealing with personnel throughout the organizationand its demonstrated support of internal control.

2. The agency manages, develops, and revises itsinformation systems in an effort to continuallyimprove the usefulness and reliability of itscommunication of information. Consider thefollowing:

� Information systems management is based on astrategic plan for information systems that is linked tothe agency�s overall strategic plan.

� A mechanism exists for identifying emerginginformation needs.

� As part of the agency�s information management,improvements and advances in technology aremonitored, analyzed, evaluated, and introduced tohelp the agency respond more rapidly and efficientlyto those they serve.


Forms and Means of Communications Comments/Descriptions

� Management continually monitors the quality of theinformation captured, maintained, and communicatedas measured by such factors as appropriateness ofcontent, timeliness, accuracy, and accessibility.

� Management�s support for the development ofinformation technology is demonstrated by itscommitment of appropriate human and financialresources to the effort.


Information and Communications Summary SectionProvide General Conclusions and Actions Needed Here:


(BLANK)


MONITORING

Monitoring is the final internal control standard. Internal control monitoring should assess thequality of performance over time and ensure that the findings of audits and other reviews arepromptly resolved. In considering the extent to which the continued effectiveness of internalcontrol is monitored, both ongoing monitoring activities and separate evaluations of the internalcontrol system, or portions thereof, should be considered. Ongoing monitoring occurs duringnormal operations and includes regular management and supervisory activities, comparisons,reconciliations, etc., and other actions people take in performing their duties. Separateevaluations are a way to take a fresh look at internal control by focusing directly on the controls�effectiveness at a specific time. These evaluations may take the form of self-assessments as wellas review of control design and direct testing, and may include the use of this Management andEvaluation Tool or some similar device. In addition, monitoring includes policies andprocedures for ensuring that any audit and review findings and recommendations are brought tothe attention of management and are resolved in a timely manner. Managers and evaluatorsshould consider the appropriateness of the agency�s internal control monitoring and the degree towhich it helps them accomplish their objectives. Listed below are factors a user might consider.The list is a beginning point. It is not all-inclusive, and every item might not apply to everyagency or activity within the agency. Even though some of the functions and points may besubjective in nature and require the use of judgment, they are important in establishing andmaintaining good internal control monitoring policies and procedures.

Ongoing Monitoring Comments/Descriptions

1. Management has a strategy to ensure that ongoingmonitoring is effective and will trigger separateevaluations where problems are identified or systemsare critical and testing is periodically desirable.Consider the following:

� Management�s strategy provides for routine feedbackand monitoring of performance and controlobjectives.

� The monitoring strategy includes identification ofcritical operational and mission support systems thatneed special review and evaluation.

� The strategy includes a plan for periodic evaluation ofcontrol activities for critical operational and missionsupport systems.



2. In the process of carrying out their regular activities,agency personnel obtain information about whetherinternal control is functioning properly. Consider thefollowing:

� Operating reports are integrated or reconciled withfinancial and budgetary reporting system data andused to manage operations on an ongoing basis, andmanagement is alert to inaccuracies or exceptions thatcould indicate internal control problems.

� Operating management compares production, sales,or other operating information obtained in the courseof their daily activities to system-generatedinformation and follows up on any inaccuracies orother problems that might be found.

� Operating personnel are required to �sign-off� on theaccuracy of their unit�s financial statements and areheld accountable if errors are discovered.

3. Communications from external parties shouldcorroborate internally generated data or indicateproblems with internal control. Consider thefollowing:

� Management recognizes that customers paying forinvoices help to corroborate billing data, whilecustomer complaints indicate that deficiencies mayexist; and these deficiencies are then investigated todetermine the underlying causes.

� Communications from vendors and monthlystatements of accounts payable are used as controlmonitoring techniques.

� Supplier complaints about any unfair practices byagency purchasing agents are investigated.

� Congress and oversight groups communicateinformation to the agency about compliance or othermatters that reflect on the functioning of internalcontrol and management follows up on any problemsindicated.



� Control activities that should have prevented ordetected any problems that arise, but did not functionproperly, are reassessed.

4. Appropriate organizational structure and supervisionhelp provide oversight of internal control functions.Consider the following:

� Automated edits and checks as well as clericalactivities are used to help control accuracy andcompleteness of transaction processing.

� Separation of duties and responsibilities is used tohelp deter fraud.

� The Inspector General is independent and hasauthority to report directly to the agency head anddoes not conduct agency operations for management.

5. Data recorded by information and financial systemsare periodically compared with physical assets anddiscrepancies are examined. Consider the following:

� Inventory levels of materials, supplies, and otherassets are checked regularly, differences betweenrecorded and actual amounts are corrected, and thereasons for the discrepancies resolved.

� The frequency of the comparison is a function of thevulnerability of the asset.

� Custodial accountability for assets and resources isassigned to responsible individuals.

6. The Inspector General and other auditors andevaluators regularly provide recommendations forimprovements in internal control with managementtaking appropriate follow-up action.

7. Meetings with employees are used to providemanagement with feedback on whether internalcontrol is effective. Consider the following:



� Relevant issues, information, and feedbackconcerning internal control raised at trainingseminars, planning sessions, and other meetings arecaptured and used by management to addressproblems or strengthen the internal control structure.

� Employee suggestions on internal control areconsidered and acted upon as appropriate.

8. Employees are regularly asked to state explicitlywhether they comply with the agency�s code of conductor similar agency pronouncements of expectedemployee behavior. Consider the following:

� Personnel periodically acknowledge compliance withthe code of conduct.

� Signatures are required to evidence performance ofcritical internal control functions, such asreconciliations.

Separate Evaluations Comments/Descriptions

1. The scope and frequency of separate evaluations ofinternal control are appropriate for the agency.Consider the following:

� Consideration is given to the risk assessment resultsand the effectiveness of ongoing monitoring whendetermining the scope and frequency of separateevaluations.

� Separate evaluations are often prompted by eventssuch as major changes in management plans orstrategies, major expansion or downsizing of theagency, or significant changes in operations orprocessing of financial or budgetary information.

� Appropriate portions or sections of internal controlare evaluated regularly.



� Separate evaluations are conducted by personnel withthe required skills that may include the agency�sInspector General or an external auditor.

2. The methodology for evaluating the agency�s internalcontrol is logical and appropriate. Consider thefollowing:

� The methodology used may include self-assessmentsusing checklists, questionnaires, or other such tools,and it may include the use of this Management andEvaluation Tool or some similar device.

� The separate evaluations may include a review of thecontrol design and direct testing of the internalcontrol activities.

� The evaluation team develops a plan for theevaluation process to ensure a coordinated effort.

� If the evaluation process is conducted by agencyemployees, it is managed by an executive with therequisite authority, capability, and experience.

� The evaluation team gains a sufficient understandingof the agency�s missions, goals, and objectives and itsoperations and activities.

� The evaluation team gains an understanding of howthe agency�s internal control is supposed to work andhow it actually does work.

� The evaluation team analyzes the results of theevaluation against established criteria.

� The evaluation process is properly documented.

3. If the separate evaluations are conducted by theagency�s Inspector General, that office has sufficientresources, ability, and independence. Consider thefollowing:7

7This particular point and the related subsidiary points are not expected to be assessed by agencymanagement or the agency Inspector General. However, their consideration may be useful in outsidereviews or peer reviews.



� The Inspector General has sufficient levels ofcompetent and experienced staff.

� The Inspector General is organizationallyindependent and reports to the highest levels withinthe agency.

� The responsibilities, scope of work, and audit plans ofthe Inspector General are appropriate to the agency�sneeds.

4. Deficiencies found during separate evaluations arepromptly resolved. Consider the following:

� Deficiencies are promptly communicated to theindividual responsible for the function and also to atleast one level of management above that individual.

� Serious deficiencies and internal control problems arepromptly reported to top management.

Audit Resolution8 Comments/Descriptions

1. The agency has a mechanism to ensure the promptresolution of findings from audits and other reviews.Consider the following:

� Managers promptly review and evaluate findingsresulting from audits, FMFIA and FFMIAassessments, and other reviews, including thoseshowing deficiencies and those identifyingopportunities for improvements.

� Management determines the proper actions to take inresponse to findings and recommendations.

� Corrective action is taken or improvements madewithin established time frames to resolve the mattersbrought to management�s attention.

8Audit Resolution includes the resolution of findings and recommendations not just from formal audits, butalso resulting from informal reviews, internal separate evaluations, management studies, and assessmentsmade pursuant to the requirements of the Federal Managers’ Financial Integrity Act (FMFIA) of 1982 andthe Federal Financial Management Improvement Act (FFMIA) of 1996.


Audit Resolution Comments/Descriptions

� In cases where there is disagreement with the findingsor recommendations, management demonstrates thatthose findings or recommendations are either invalidor do not warrant action.

� Management considers consultations with auditors(such as GAO, Inspector General, and other externalauditors), and reviewers when it is believed to behelpful in the audit resolution process.

2. Agency management is responsive to the findings andrecommendations of audits and other reviews aimed atstrengthening internal control. Consider thefollowing:

� Executives with the proper authority evaluate thefindings and recommendations and decide upon theappropriate actions to take to correct or improvecontrol.

� Desired internal control actions are followed up on toverify implementation.

3. The agency takes appropriate follow up actions withregard to findings and recommendations of audits andother reviews. Consider the following:

� Problems with particular transactions or events arecorrected promptly.

� The underlying causes giving rise to the findings orrecommendations are investigated by management.

� Actions are decided upon to correct the situation ortake advantage of the opportunity for improvements.

� Management and auditors follow up on audit andreview findings, recommendations, and the actionsdecided upon to ensure that those actions are taken.

� Top management is kept informed through periodicreports on the status of audit and review resolution sothat it can ensure the quality and timeliness ofindividual resolution decisions.


Monitoring Summary SectionProvide General Conclusions and Actions Needed Here:


OVERALL INTERNAL CONTROL SUMMARY

Control Environment Assessment/Conclusions

Management and employees have a positive andsupportive attitude toward internal control andconscientious management. Management conveys themessage that integrity and ethical values must not becompromised. The agency demonstrates a commitment tothe competence of its personnel and employs good humancapital policies and practices. Management has aphilosophy and operating style that is appropriate to thedevelopment and maintenance of effective internal control.The agency�s organizational structure and the way inwhich it assigns authority and responsibility contribute toeffective internal control. The agency has a good workingrelationship with the Congress and oversight groups.

Risk Assessment

The agency has established clear and consistent entitywideobjectives and supporting activity-level objectives.Management has made a thorough identification of risks,from both internal and external sources, that may affectthe ability of the agency to meet those objectives. Ananalysis of those risks has been performed, and the agencyhas developed an appropriate approach for riskmanagement. In addition, mechanisms are in place toidentify changes that may affect the agency�s ability toachieve its missions, goals, and objectives.

Control Activities

Appropriate policies, procedures, techniques, and controlmechanisms have been developed and are in place toensure adherence to established directives. Proper controlactivities have been developed for each of the agency�sactivities. The control activities identified as necessary areactually being applied properly.


Information and Communications Assessment/Conclusions

Information systems are in place to identify and recordpertinent operational and financial information relating tointernal and external events. That information iscommunicated to management and others within theagency who need it and in a form that enables them tocarry out their duties and responsibilities efficiently andeffectively. Management ensures that effective internalcommunications take place. It also ensures that effectiveexternal communications occur with groups that canaffect the achievement of the agency�s missions, goals, andobjectives. The agency employs various forms ofcommunications appropriate to its needs and manages,develops, and revises its information systems in acontinual effort to improve communications.

Monitoring

Agency internal control monitoring assesses the quality ofperformance over time. It does this by putting proceduresin place to monitor internal control on an ongoing basis asa part of the process of carrying out its regular activities.In addition, separate evaluations of internal control areperiodically performed and deficiencies found areinvestigated. Procedures are in place to ensure that thefindings of all audits and other reviews are promptlyevaluated, decisions are made about the appropriateresponse, and actions are taken to correct or otherwiseresolve the issues promptly.

(922290)


RELATED PRODUCTS

These related products address three main categories; internal control, financialmanagement systems, and financial reporting (accounting standards). We havedeveloped these guidelines and tools to assist agencies in improving or maintainingeffective operations and financial management.

Internal Control

Standards for Internal Control Streamlining the Payment Processin the Federal Government, While Maintaining Effective InternalGAO/AIMD-00-21.3.1, November 1999. Control, GAO/AIMD-00-21.3.2,

May 2000.

Determining Performance andAccountability Challenges and HighRisks, GAO-01-159SP, November 2000.

Financial Management Systems

Framework for Federal Financial Inventory System Checklist,Management System Checklist, GAO/AIMD-98-21.2.4, May 1998.GAO/AIMD-98-21.2.1, May 1998.

System Requirements for Managerial Core Financial System RequirementsCost Accounting Checklist, Checklist, GAO/AIMD-00-21.2.2,GAO/AIMD-99-21.2.9, January 1999. February 2000.

Human Resources and Payroll Direct Loan System RequirementsSystems Requirements Checklist Checklist, GAO/AIMD-00-21.2.6,GAO/AIMD-00-21.2.3, March 2000. April 2000.

Travel System Requirements Seized Property and Forfeited AssetsChecklist, GAO/AIMD-00-21.2.8, Requirements Checklist,May 2000. GAO-01-99G, October 2000.

Financial Reporting (Accounting Standards)

FASAB Volume 1 Original Statements,GAO/AIMD-97-21.1.1, March 1997.

These documents are available on the Internet on GAO’s Home Page (www.gao.gov) under“Other Publications.” They can also be obtained from GAO, 700 4th Street NW, Room 1100,Washington DC 20548, or by calling (202) 512-6000 or TDD (202) 512-2537.

United StatesGeneral Accounting OfficeWashington, D.C. 20548-0001

Official BusinessPenalty for Private Use $300

Address Correction Requested

Bulk RatePostage & Fees Paid

GAOPermit No. GI00

Documents

HEADS OF DEPARTMENTS AND AGENCIES