Section 2 - Establishing an Effective Internal Control System

Presentation of Standards

OV2.01 The Green Book defines the standards for internal control in the federal government. FMFIA requires federal executive branch entities to establish internal control in accordance with these standards. The standards provide criteria for assessing the design, implementation, and operating effectiveness of internal control in federal government entities to determine if an internal control system is effective. Nonfederal entities may use the Green Book as a framework to design, implement, and operate an internal control system.

OV2.02 The Green Book applies to all of an entity’s objectives: operations, reporting, and compliance. However, these standards are not intended to limit or interfere with duly granted authority related to legislation, rulemaking, or other discretionary policy making in an organization. In implementing the Green Book, management is responsible for designing the policies and procedures to fit an entity’s circumstances and building them in as an integral part of the entity’s operations.

Components, Principles and Attributes

OV2.03 An entity determines its mission, sets a strategic plan, establishes entity objectives, and formulates plans to achieve its objectives. Management, with oversight from the entity’s oversight body, may set objectives for an entity as a whole or target activities within the entity. Management uses internal control to help the organization achieve these objectives. While there are different ways to present internal control, the Green Book approaches internal control through a hierarchical structure of five components and 17 principles. The hierarchy includes requirements for establishing an effective internal control system, including specific documentation requirements.

OV2.04 The five components represent the highest level of the hierarchy of standards for internal control in the federal government. The five components of internal control must be effectively designed, implemented, and operating, and operating together in an integrated manner, for an internal control system to be effective. The five components of internal control are as follows:

  • Control Environment - The foundation for an internal control system. It provides the discipline and structure to help an entity achieve its objectives.
  • Risk Assessment - Assesses the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses.
  • Control Activities - The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the entity’s information system.
  • Information and Communication - The quality information management and personnel communicate and use to support the internal control system.
  • Monitoring - Activities management establishes and operates to assess the quality of performance over time and promptly resolve the findings of audits and other reviews.

OV2.05 The 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system.

OV2.06 In general, all components and principles are relevant for establishing an effective internal control system. In rare circumstances, there may be an operating or regulatory situation in which management has determined that a principle is not relevant for the entity to achieve its objectives and address related risks. If management determines that a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively. In addition to principle requirements, the Green Book contains documentation requirements.

OV2.07 The Green Book contains additional information in the form of attributes. These attributes are intended to help organize the application material management may consider when designing, implementing, and operating the associated principles. Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover, or include examples of procedures that may be appropriate for an entity. Attributes may also provide background information on matters addressed in the Green Book.

OV2.08 Attributes are relevant to the proper implementation of the Green Book. Management has a responsibility to understand the attributes and exercise judgment in fulfilling the requirements of the standards. The Green Book, however, does not prescribe how management designs, implements, and operates an internal control system.

OV2.09 The fiigure below lists the five components of internal control and 17 related principles.

The Five Components and 17 Principles of Internal Control

Internal Control and the Entity

OV2.10 A direct relationship exists among an entity’s objectives, the five components of internal control, and the organizational structure of an entity. Objectives are what an entity wants to achieve. The five components of internal control are what are required of the entity to achieve the objectives. Organizational structure encompasses the operating units, operational processes, and other structures management uses to achieve the objectives. This relationship is depicted in the form of a cube developed by COSO.

The Components, Objectives, and Organizational Structure of Internal Control

OV2.11 The three categories into which an entity’s objectives can be classified are represented by the columns labeled on top of the cube. The five components of internal control are represented by the rows. The organizational structure is represented by the third dimension of the cube.

OV2.12 Each component of internal control applies to all three categories of objectives and the organizational structure. The principles support the components of internal control (see figure below).

The Components, Objectives, and Organizational Structure of Internal Control

OV2.13 Internal control is a dynamic, iterative, and integrated process in which components impact the design, implementation, and operating effectiveness of each other. No two entities will have an identical internal control system because of differences in factors such as mission, regulatory environment, strategic plan, entity size, risk tolerance, and information technology, and the judgment needed in responding to these differing factors.

Roles in an Internal Control System

OV2.14 Because internal control is a part of management’s overall responsibility, the five components are discussed in the context of the management of the entity. However, everyone in the entity has a responsibility for internal control. In general, roles in an entity’s internal control system can be categorized as follows:

  • Oversight body - The oversight body is responsible for overseeing the strategic direction of the entity and obligations related to the accountability of the entity. This includes overseeing management’s design, implementation, and operation of an internal control system. For some entities, an oversight body might be one or a few members of senior management. For other entities, multiple parties may be members of the entity’s oversight body. For the purpose of the Green Book, oversight by an oversight body is implicit in each component and principle.
  • Management - Management is directly responsible for all activities of an entity, including the design, implementation, and operating effectiveness of an entity’s internal control system. Managers’ responsibilities vary depending on their functions in the organizational structure.
  • Personnel - Personnel help management design, implement, and operate an internal control system and are responsible for reporting issues noted in the entity’s operations, reporting, or compliance objectives.

OV2.15 External auditors and the office of the inspector general (OIG), if applicable, are not considered a part of an entity’s internal control system. While management may evaluate and incorporate recommendations by external auditors and the OIG, responsibility for an entity’s internal control system resides with management.

Objectives of an Entity

OV2.16 Management, with oversight by an oversight body, sets objectives to meet the entity’s mission, strategic plan, and goals and requirements of applicable laws and regulations. Management sets objectives before designing an entity’s internal control system.

Management may include setting objectives as part of the strategic planning process.

OV2.17 Management, as part of designing an internal control system, defines the objectives in specific and measurable terms to enable management to identify, analyze, and respond to risks related to achieving those objectives.

Categories of Objectives OV2.18 Management groups objectives into one or more of the three categories of objectives:

  • Operations - Effectiveness and efficiency of operations
  • Reporting - Reliability of reporting for internal and external use
  • Compliance - Compliance with applicable laws and regulations

Operations Objectives

OV2.19 Operations objectives relate to program operations that achieve an entity’s mission. An entity’s mission may be defined in a strategic plan. Such plans set the goals and objectives for an entity along with the effective and efficient operations necessary to fulfill those objectives.
Effective operations produce the intended results from operational processes, while efficient operations do so in a manner that minimizes the waste of resources.

OV2.20 Management can set, from the objectives, related subobjectives for units within the organizational structure. By linking objectives throughout the entity to the mission, management improves the effectiveness and efficiency of program operations in achieving the mission.

Reporting Objectives

OV2.21 Reporting objectives relate to the preparation of reports for use by the entity, its stakeholders, or other external parties. Reporting objectives may be grouped further into the following subcategories:

    • External financial reporting objectives - Objectives related to the release of the entity’s financial performance in accordance with professional standards, applicable laws and regulations, as well as expectations of stakeholders.
    • External nonfinancial reporting objectives - Objectives related to the release of nonfinancial information in accordance with appropriate standards, applicable laws and regulations, as well as expectations of stakeholders.
    • Internal financial reporting objectives and nonfinancial reporting objectives - Objectives related to gathering and communicating information needed by management to support decision making and evaluation of the entity’s performance.

Compliance Objectives

OV2.22 In the government sector, objectives related to compliance with applicable laws and regulations are very significant. Laws and regulations often prescribe a government entity’s objectives, structure, methods to achieve objectives, and reporting of performance relative to achieving objectives. Management considers objectives in the category of compliance comprehensively for the entity and determines what controls are necessary to design, implement, and operate for the entity to achieve these objectives effectively.

OV2.23 Management conducts activities in accordance with applicable laws and regulations. As part of specifying compliance objectives, the entity determines which laws and regulations apply to the entity.

Management is expected to set objectives that incorporate these requirements. Some entities may set objectives to a higher level of performance than established by laws and regulations. In setting those objectives, management is able to exercise discretion relative to the performance of the entity.

Safeguarding of Assets

OV2.24 A subset of the three categories of objectives is the safeguarding of assets. Management designs an internal control system to provide reasonable assurance regarding prevention or prompt detection and correction of unauthorized acquisition, use, or disposition of an entity’s assets.

Setting Subobjectives

OV2.25 Management can develop fromobjectives more specific subobjectives throughout the organizational structure. Management defines subobjectives in specific and measurable terms that can be communicated to the personnel who are assigned responsibility to achieve these subobjectives. Both management and personnel require an understanding of an objective, its subobjectives, and defined levels of performance for accountability in an internal control system.

  1. Green Book PDF
  2. COSO Framework
  3. GAO Green Book Site