Transcript Standards for Internal Control in the Federal Government

Standards for Internal Control
in the Federal Government:
The “Green Book”
Kristen Kociolek
Assistant Director, U.S. Government Accountability Office
Harriet Richardson
City Auditor, Palo Alto, CA
Larry Stafford
Internal Performance Auditor, Clark County, WA
Learning Objectives
• Understand what an exposure draft is and why the
Professional Issues Committee reviews them
• Understand what the Green Book is and why it is relevant
to local government auditors
• Understand key differences between COSO and the Green
Book
• Understand ways that auditors can use the Green Book in
their own work
• Understand ways that auditors can use the Green Book to
help management in their organizations gain a better
understanding of internal control
What Is the “Green Book”?
• Official title is, “Standards for Internal Control in the
Federal Government”
• Similar to the Yellow Book, it is called the Green Book
because of its green cover
• Reflects federal internal control standards required per
the Federal Managers’ Financial Integrity Act (FMFIA)
• Serves as the base for OMB Circular A-123
• Written for government:
 Leverages the COSO Framework
 Uses government terms
Green Book Through the Years
1983
Present
Reasons for Green Book Revision
From COSO to Green Book:
Harmonization
Internal Control Defined:
COSO vs. Green Book
• COSO Definition: “A process, effected by an entity’s board of directors,
management, and other personnel, designed to provide reasonable
assurance regarding the achievement of the objectives relating to
operations, reporting, and compliance.”
• Green Book Definition: “An integral component of an entity’s
management that provides reasonable assurance that the objectives
of an entity are being achieved. These objectives and related risks can
be broadly classified into one or more of the three following
categories:
 Operations – Effectiveness and efficiency of operations
 Reporting – Reliability of reporting for internal and external use
 Compliance – Compliance with applicable laws and regulations
Internal Control Objectives
Internal Controls Provide Reasonable Assurance of
Achieving Objectives
Operations
• Efficiency
• Effectiveness
Safeguarding
of Assets
Reporting
• Reliability
• Internal/
External
Compliance
• Laws
• Regulations
The COSO Framework
• Relationship of Objectives and Components

Direct relationship between objectives (which are what an
entity strives to achieve) and the components (which represent
what is needed to achieve the objectives)
• COSO depicts the relationship
in the form of a cube:



The three objectives are represented
by the columns
The five components are represented
by the rows
The entity’s organization structure is
represented by the third dimension
Source: COSO
Green Book Revision Process
• Retained five original COSO components
• Adapted COSO Framework’s language
to make it appropriate for a federal
government standard
• Adapted the concepts for a government
environment where appropriate
• Considered clarity drafting conventions
• Considered INTOSAI internal control guidance
Green Book Advisory Council
Representation from:
• Federal agency management (nominated by OMB)
• Inspector General
• State and local government, including two ALGA
members
• Academia
• COSO
• Independent public accounting firms
• At large
Revised Green Book: Overview Section
•
•
•
•
Fundamental concepts of internal control
Establishing an effective internal control system
Evaluation of an effective internal control system
Additional considerations
Standards:
Components, Principles, and Attributes
Achieve Objectives
Components
Principles
Attributes
Overview
Standards
5 Components Supported by 17 Principles
Control Environment
1.
2.
3.
4.
5.
Demonstrate commitment to integrity and ethical values
Exercise oversight responsibility
Establish structure, authority, and responsibility
Demonstrate commitment to competence
Enforce accountability
Risk Assessment
6.
7.
8.
9.
Define objectives and risk tolerances
Identify, analyze, and respond to risks
Assess fraud risk
Identify, analyze, and respond to significant change
Control Activities
10. Design control activities to achieve objectives
11. Design control activities for entity’s information systems
12. Implement control activities through written policies
Information & Communication
13. Use quality relevant information
14. Communicate internally
15. Communicate externally
Monitoring Activities
16. Establish and perform monitoring activities
17. Identify and remediate deficiencies in a timely manner
Example: Component, Principle, Attributes
Example: Controls Across Components
Controls
embedded in
other
components
may affect this
principle
Principle
Component
Key Differences: Requirements of
COSO vs. Green Book
COSO Framework:
Green Book:
• Each of the 5 components and
relevant principles are present and
functioning
• Each of the 5 components, 17 principles,
and relevant attributes are effectively
designed, implemented, and operating
• Addresses deficiencies in general
terms
• Addresses deficiencies in design,
operation, and implementation
• Documentation is a matter of
judgment
• Specifies minimum documentation
requirements
Key Differences: Overall Tone and Approach
COSO vs. Green Book
COSO Framework:
Green Book:
• Accommodates global operations
• Accommodates government operations
• Additional details and narrative
• Direct and indexed
• IT general controls
• IT general and application controls
• Focus on organization’s
responsibilities for internal controls
• Focus on management’s responsibilities
for internal controls
PIC’s Response to Green Book Exposure Draft
• Agreed with format, content, and enhanced detail
• Suggestions included:

Address challenges and requirements for large, complex governments

Define the terms “must” and “should”; add explanatory language for
difference in responsibility imparted by each term

Clarify roles and responsibilities of those responsible for internal
control, including requirements for reporting allegations of fraud and
wrongdoing

Expand examples to strengthen understanding of applicability to state
and local governments

Improve documentation requirements for the monitoring component

Define “external auditor” to align with GAGAS 3.27-3.30
Exposure Draft Review and Next Steps
• Issued for comments in September 2013; response deadline of
December 2, 2013; extended to February 18, 2014
• 43 comment letters with 527 comments; major themes of
comments included:





Clarification of requirements (must/should)
Definition of key terms
Applicability to state, local, and not-for-profit organizations
Documentation requirements
Editorial suggestions
• Green Book Advisory Council meeting in late May 2014
• Finalize Green Book in summer 2014
• GAO will publish a companion document, Internal Control
Management and Evaluation Tool
Auditors’ Role in Using the Green Book
In their own work: there is a linkage between internal control
(Green Book) and criteria (Yellow Book):
• Can be used by auditors to
understand criteria
• Findings are composed of:
•
•
•
•
•
Condition (what is)
Criteria (what should be)
Cause (often relates to internal
control deficiencies)
Effect (result)
Recommendation (as applicable)
• Green Book provides criteria for design, implementation, and
operating effectiveness of an effective internal control system
Auditors’ Role in Using the Green Book:
Control Environment – Audit Application
Audit evaluated why theft occurred:
• $52,000 theft from 2009-2011 despite
multiple audits and 179
recommendations over 10 years to
improve cash handling practices in
various city departments
• Lack of “tone at the top” to correct
the deficiencies, either at the
departments audited or citywide
• Management focus on providing
services rather than on the oversight
required to safeguard assets
Auditors’ Role in Using the Green Book:
Risk Assessment – Audit Application
Audit evaluated the appropriateness of
the Health Service trust fund balance:
• The Health Service Board was not
sufficiently focused on risk
management
• The Health Service Board did not
identify cost containment strategies to
address the risks associated with
skyrocketing health care costs
• Insufficient oversight, strategic
planning, and decision making from
the Board, the Health Service System
could not adequately position itself to
address future issues
Auditors’ Role in Using the Green Book:
Control Activities – Audit Application
Audit evaluated the Pension
Division’s internal control system;
inadequate controls, including
lack of supervision, allowed:
• Two employees to divert
$75,690 in payments from two
deceased pensioners and one
fictitious pensioner into a bank
account
• Payments totaling $2.1 million
to be paid to 454 deceased
pensioners over a 39-month
period
Auditors’ Role in Using the Green Book:
Information & Communication – Audit Application
Audit evaluated agency procedures for
collecting, calculating, and reporting
performance-related data:
• Performance data collected often did
not match the measure’s definition
• Procedures for collecting data often
unreliable
• Reported performance data often
inaccurate
• Performance data inaccuracies and
inadequate procedures diminish
transparency and accountability and
affect the quality of management
decisions
Auditors’ Role in Using the Green Book:
Monitoring – Audit Application
Audit evaluated why theft occurred; identified warning signs that
there was more theft:
• Boat launch revenue sharply declined for three consecutive years
• No boat launch revenue in August 2007 – a peak boating month
• Management did not monitor; was unaware of decline in/lack of
revenue
Auditors’ Role in Helping Management
Use the Green Book
• Develop and provide training sessions to help
management understand the components, principles,
and attributes and their applicability to local
government
•
•
•
Focus on responsibilities of management
Provide examples for each component, principle, and
attribute
Use “plain talk”
• Explain link to grant monitoring responsibilities
• Educate management through audits
Standards for Internal Control
in the Federal Government:
The “Green Book”
Exposure Draft, previous Green Book
versions, and comment letters available
at:
http://www.gao.gov/greenbook/overview
Standards for Internal Control
in the Federal Government:
The “Green Book”
Questions?
Contact Information
• Kristen Kociolek
[email protected]
202.512.2989
• Harriet Richardson
[email protected]
650.329.2629
• Larry Stafford
[email protected]
360.397.2310