gao/aimd-00-21.3.1 standards for internal control in the ... · pdf fileunited states general...

25
United States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in the Federal Government GAO/AIMD-00-21.3.1

Upload: trinhanh

Post on 01-Feb-2018

222 views

Category:

Documents


4 download

TRANSCRIPT

Page 1: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

United States General Accounting Office

GAO Internal Control

November 1999 Standards for InternalControl in the FederalGovernment

GAO/AIMD-00-21.3.1

Page 2: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in
Page 3: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Foreword

Federal policymakers and program managers arecontinually seeking ways to better achieve agencies’missions and program results, in other words, theyare seeking ways to improve accountability. A keyfactor in helping achieve such outcomes and minimizeoperational problems is to implement appropriateinternal control. Effective internal control also helpsin managing change to cope with shiftingenvironments and evolving demands and priorities. Asprograms change and as agencies strive to improveoperational processes and implement newtechnological developments, management mustcontinually assess and evaluate its internal control toassure that the control activities being used areeffective and updated when necessary.

The Federal Managers’ Financial Integrity Act of 1982(FMFIA) requires the General Accounting Office (GAO)to issue standards for internal control in government.The standards provide the overall framework forestablishing and maintaining internal control and foridentifying and addressing major performance andmanagement challenges and areas at greatest risk offraud, waste, abuse, and mismanagement. Office ofManagement and Budget (OMB) Circular A-123,Management Accountability and Control, revisedJune 21, 1995, provides the specific requirements forassessing and reporting on controls. The term internalcontrol in this document is synonymous with the termmanagement control (as used in OMB CircularA-123) that covers all aspects of an agency’soperations (programmatic, financial, andcompliance).

Recently, other laws have prompted renewed focuson internal control. The Government Performanceand Results Act of 1993 requires agencies to clarifytheir missions, set strategic and annual performancegoals, and measure and report on performance

GAO/AIMD-00-21.3.1 (11/99)Page 1

Page 4: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Foreword

toward those goals. Internal control plays asignificant role in helping managers achieve thosegoals. Also, the Chief Financial Officers Act of 1990calls for financial management systems to complywith internal control standards, and the FederalFinancial Management Improvement Act of 1996identifies internal control as an integral part ofimproving financial management systems.

Rapid advances in information technology havehighlighted the need for updated internal controlguidance related to modern computer systems. Themanagement of human capital has gained recognitionas a significant part of internal control. Furthermore,the private sector has updated its internal controlguidance with the issuance of Internal Control —Integrated Framework, published by the Committeeof Sponsoring Organizations of the TreadwayCommission (COSO). Consequently, we havedeveloped this standards update which supersedesour previously issued “Standards for Internal Controlsin the Federal Government.”

This update gives greater recognition to theincreasing use of information technology to carry outcritical government operations, recognizes theimportance of human capital, and incorporates, asappropriate, the relevant updated internal controlguidance developed in the private sector. Thestandards are effective beginning with fiscal year 2000and the Federal Managers Financial Integrity Actreports covering that year.

GAO/AIMD-00-21.3.1 (11/99)Page 2

Page 5: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Foreword

We appreciate the efforts of government officials,public accounting professionals, and other membersof the financial community and academia whoprovided valuable assistance in developing thesestandards.

David M. WalkerComptroller Generalof the United States

GAO/AIMD-00-21.3.1 (11/99)Page 3

Page 6: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Introduction

The following definition, objectives, and fundamentalconcepts provide the foundation for the internalcontrol standards.

Definition andObjectives

Internal Control

An integral component of an organization’s management that provides reasonable assurance that the following objectives are being achieved:

• effectiveness and efficiency of operations,• reliability of financial reporting, and • compliance with applicable laws and regulations.

Internal control is a major part of managing anorganization. It comprises the plans, methods, andprocedures used to meet missions, goals, andobjectives and, in doing so, supportsperformance-based management. Internal control alsoserves as the first line of defense in safeguardingassets and preventing and detecting errors and fraud.In short, internal control, which is synonymous withmanagement control, helps government programmanagers achieve desired results through effectivestewardship of public resources.

Internal control should provide reasonable assurancethat the objectives of the agency are being achieved inthe following categories:

GAO/AIMD-00-21.3.1 (11/99)Page 4

Page 7: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Introduction

• Effectiveness and efficiency of operations includingthe use of the entity’s resources.

• Reliability of financial reporting, including reports onbudget execution, financial statements, and otherreports for internal and external use.

• Compliance with applicable laws and regulations.

A subset of these objectives is the safeguarding ofassets. Internal control should be designed to providereasonable assurance regarding prevention of orprompt detection of unauthorized acquisition, use, ordisposition of an agency’s assets.

FundamentalConcepts

Internal Control

• A continuous built-in component of operations.• Effected by people.• Provides reasonable assurance, not absolute

assurance.

The fundamental concepts provide the underlyingframework for designing and applying the standards.

Internal Control Is aContinuous Built-inComponent ofOperations

Internal control is not one event, but a series ofactions and activities that occur throughout anentity’s operations and on an ongoing basis. Internalcontrol should be recognized as an integral part ofeach system that management uses to regulate andguide its operations rather than as a separate systemwithin an agency. In this sense, internal control ismanagement control that is built into the entity as a

GAO/AIMD-00-21.3.1 (11/99)Page 5

Page 8: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Introduction

part of its infrastructure to help managers run theentity and achieve their aims on an ongoing basis.

Internal Control IsEffected by People

People are what make internal control work. Theresponsibility for good internal control rests with allmanagers. Management sets the objectives, puts thecontrol mechanisms and activities in place, andmonitors and evaluates the control. However, allpersonnel in the organization play important roles inmaking it happen.

Internal ControlProvides ReasonableAssurance, NotAbsolute Assurance

Management should design and implement internalcontrol based on the related cost and benefits. Nomatter how well designed and operated, internalcontrol cannot provide absolute assurance that allagency objectives will be met. Factors outside thecontrol or influence of management can affect theentity’s ability to achieve all of its goals. For example,human mistakes, judgment errors, and acts ofcollusion to circumvent control can affect meetingagency objectives. Therefore, once in place, internalcontrol provides reasonable, not absolute, assuranceof meeting agency objectives.

GAO/AIMD-00-21.3.1 (11/99)Page 6

Page 9: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Internal Control Standards

Presentation ofthe Standards

The Five Standards for Internal Control

• Control Environment• Risk Assessment• Control Activities• Information and Communications• Monitoring

These standards define the minimum level of qualityacceptable for internal control in government andprovide the basis against which internal control is tobe evaluated. These standards apply to all aspects ofan agency’s operations: programmatic, financial, andcompliance. However, they are not intended to limitor interfere with duly granted authority related todeveloping legislation, rule-making, or otherdiscretionary policy-making in an agency. Thesestandards provide a general framework. Inimplementing these standards, management isresponsible for developing the detailed policies,procedures, and practices to fit their agency’soperations and to ensure that they are built into andan integral part of operations.

In the following material, each of these standards ispresented in a short, concise statement. Additionalinformation is provided to help managers incorporatethe standards into their daily operations.

GAO/AIMD-00-21.3.1 (11/99)Page 7

Page 10: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Internal Control Standards

ControlEnvironment

Management and employees should establish and maintain an environment throughout the organization that sets a positive and supportive attitude toward internal control and conscientious management.

A positive control environment is the foundation forall other standards. It provides discipline andstructure as well as the climate which influences thequality of internal control. Several key factors affectthe control environment.

One factor is the integrity and ethical valuesmaintained and demonstrated by management andstaff. Agency management plays a key role inproviding leadership in this area, especially in settingand maintaining the organization’s ethical tone,providing guidance for proper behavior, removingtemptations for unethical behavior, and providingdiscipline when appropriate.

Another factor is management’s commitment tocompetence. All personnel need to possess andmaintain a level of competence that allows them toaccomplish their assigned duties, as well asunderstand the importance of developing andimplementing good internal control. Managementneeds to identify appropriate knowledge and skillsneeded for various jobs and provide needed training,as well as candid and constructive counseling, andperformance appraisals.

GAO/AIMD-00-21.3.1 (11/99)Page 8

Page 11: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Internal Control Standards

Management’s philosophy and operating style alsoaffect the environment. This factor determines thedegree of risk the agency is willing to take andmanagement’s philosophy towardsperformance-based management. Further, the attitudeand philosophy of management toward informationsystems, accounting, personnel functions, monitoring,and audits and evaluations can have a profound effecton internal control.

Another factor affecting the environment is theagency’s organizational structure. It providesmanagement’s framework for planning, directing, andcontrolling operations to achieve agency objectives. Agood internal control environment requires that theagency’s organizational structure clearly define keyareas of authority and responsibility and establishappropriate lines of reporting.

The environment is also affected by the manner inwhich the agency delegates authority andresponsibility throughout the organization. Thisdelegation covers authority and responsibility foroperating activities, reporting relationships, andauthorization protocols.

Good human capital policies and practices areanother critical environmental factor. This includesestablishing appropriate practices for hiring,orienting, training, evaluating, counseling, promoting,compensating, and disciplining personnel. It alsoincludes providing a proper amount of supervision.

A final factor affecting the environment is theagency’s relationship with the Congress and centraloversight agencies such as OMB. Congress mandatesthe programs that agencies undertake and monitorstheir progress and central agencies provide policy andguidance on many different matters. In addition,

GAO/AIMD-00-21.3.1 (11/99)Page 9

Page 12: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Internal Control Standards

Inspectors General and internal senior managementcouncils can contribute to a good overall controlenvironment.

Risk Assessment

Internal control should provide for an assessment of the risks the agency faces from both external and internal sources.

A precondition to risk assessment is theestablishment of clear, consistent agency objectives.Risk assessment is the identification and analysis ofrelevant risks associated with achieving theobjectives, such as those defined in strategic andannual performance plans developed under theGovernment Performance and Results Act, andforming a basis for determining how risks should bemanaged.

Management needs to comprehensively identify risksand should consider all significant interactionsbetween the entity and other parties as well asinternal factors at both the entitywide and activitylevel. Risk identification methods may includequalitative and quantitative ranking activities,management conferences, forecasting and strategicplanning, and consideration of findings from auditsand other assessments.

Once risks have been identified, they should beanalyzed for their possible effect. Risk analysisgenerally includes estimating the risk’s significance,assessing the likelihood of its occurrence, and

GAO/AIMD-00-21.3.1 (11/99)Page 10

Page 13: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Internal Control Standards

deciding how to manage the risk and what actionsshould be taken. The specific risk analysismethodology used can vary by agency because ofdifferences in agencies’ missions and the difficulty inqualitatively and quantitatively assigning risk levels.

Because governmental, economic, industry,regulatory, and operating conditions continuallychange, mechanisms should be provided to identifyand deal with any special risks prompted by suchchanges.

Control Activities

Internal control activities help ensure that management's directives are carried out. The control activities should be effective and efficient in accomplishing the agency's control objectives.

Control activities are the policies, procedures,techniques, and mechanisms that enforcemanagement’s directives, such as the process ofadhering to requirements for budget development andexecution. They help ensure that actions are taken toaddress risks. Control activities are an integral part ofan entity’s planning, implementing, reviewing, andaccountability for stewardship of governmentresources and achieving effective results.

Control activities occur at all levels and functions ofthe entity. They include a wide range of diverseactivities such as approvals, authorizations,verifications, reconciliations, performance reviews,

GAO/AIMD-00-21.3.1 (11/99)Page 11

Page 14: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Internal Control Standards

maintenance of security, and the creation andmaintenance of related records which provideevidence of execution of these activities as well asappropriate documentation. Control activities may beapplied in a computerized information systemenvironment or through manual processes.

Activities may be classified by specific controlobjectives, such as ensuring completeness andaccuracy of information processing.

Examples of ControlActivities

• Top level reviews of actual performance,• Reviews by management at the functional or activity level,• Management of human capital,• Controls over information processing,• Physical control over vulnerable assets,• Establishment and review of performance

measures and indicators,• Segregation of duties,• Proper execution of transactions and events,• Accurate and timely recording of transactions and events,• Access restrictions to and accountability for

resources and records, and • Appropriate documentation of transactions and

internal control.

There are certain categories of control activities thatare common to all agencies. Examples include thefollowing:

GAO/AIMD-00-21.3.1 (11/99)Page 12

Page 15: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Internal Control Standards

Top Level Reviews ofActual Performance

Management should track major agency achievementsand compare these to the plans, goals, and objectivesestablished under the Government Performance andResults Act.

Reviews by Managementat the Functional orActivity Level

Managers also need to compare actual performanceto planned or expected results throughout theorganization and analyze significant differences.

Management of HumanCapital

Effective management of an organization’sworkforce—its human capital—is essential toachieving results and an important part of internalcontrol. Management should view human capital asan asset rather than a cost. Only when the rightpersonnel for the job are on board and are providedthe right training, tools, structure, incentives, andresponsibilities is operational success possible.Management should ensure that skill needs arecontinually assessed and that the organization is ableto obtain a workforce that has the required skills thatmatch those necessary to achieve organizationalgoals. Training should be aimed at developing andretaining employee skill levels to meet changingorganizational needs. Qualified and continuoussupervision should be provided to ensure that internalcontrol objectives are achieved. Performanceevaluation and feedback, supplemented by aneffective reward system, should be designed to helpemployees understand the connection between theirperformance and the organization’s success. As a partof its human capital planning, management shouldalso consider how best to retain valuable employees,plan for their eventual succession, and ensurecontinuity of needed skills and abilities.

Controls OverInformation Processing

A variety of control activities are used in informationprocessing. Examples include edit checks of dataentered, accounting for transactions in numericalsequences, comparing file totals with control

GAO/AIMD-00-21.3.1 (11/99)Page 13

Page 16: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Internal Control Standards

accounts, and controlling access to data, files, andprograms. Further guidance on control activities forinformation processing is provided below under“Control Activities Specific for Information Systems.”

Physical Control OverVulnerable Assets

An agency must establish physical control to secureand safeguard vulnerable assets. Examples includesecurity for and limited access to assets such as cash,securities, inventories, and equipment which might bevulnerable to risk of loss or unauthorized use. Suchassets should be periodically counted and comparedto control records.

Establishment andReview of PerformanceMeasures and Indicators

Activities need to be established to monitorperformance measures and indicators. These controlscould call for comparisons and assessments relatingdifferent sets of data to one another so that analysesof the relationships can be made and appropriateactions taken. Controls should also be aimed atvalidating the propriety and integrity of bothorganizational and individual performance measuresand indicators.

Segregation of Duties Key duties and responsibilities need to be divided orsegregated among different people to reduce the riskof error or fraud. This should include separating theresponsibilities for authorizing transactions,processing and recording them, reviewing thetransactions, and handling any related assets. No oneindividual should control all key aspects of atransaction or event.

Proper Execution ofTransactions and Events

Transactions and other significant events should beauthorized and executed only by persons actingwithin the scope of their authority. This is theprincipal means of assuring that only validtransactions to exchange, transfer, use, or commitresources and other events are initiated or entered

GAO/AIMD-00-21.3.1 (11/99)Page 14

Page 17: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Internal Control Standards

into. Authorizations should be clearly communicatedto managers and employees.

Accurate and TimelyRecording ofTransactions and Events

Transactions should be promptly recorded tomaintain their relevance and value to management incontrolling operations and making decisions. Thisapplies to the entire process or life cycle of atransaction or event from the initiation andauthorization through its final classification insummary records. In addition, control activities helpto ensure that all transactions are completely andaccurately recorded.

Access Restrictions toand Accountability forResources and Records

Access to resources and records should be limited toauthorized individuals, and accountability for theircustody and use should be assigned and maintained.Periodic comparison of resources with the recordedaccountability should be made to help reduce the riskof errors, fraud, misuse, or unauthorized alteration.

AppropriateDocumentation ofTransactions andInternal Control

Internal control and all transactions and othersignificant events need to be clearly documented, andthe documentation should be readily available forexamination. The documentation should appear inmanagement directives, administrative policies, oroperating manuals and may be in paper or electronicform. All documentation and records should beproperly managed and maintained.

These examples are meant only to illustrate the rangeand variety of control activities that may be useful toagency managers. They are not all-inclusive and maynot include particular control activities that an agencymay need.

Furthermore, an agency’s internal control should beflexible to allow agencies to tailor control activities tofit their special needs. The specific control activitiesused by a given agency may be different from those

GAO/AIMD-00-21.3.1 (11/99)Page 15

Page 18: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Internal Control Standards

used by others due to a number of factors. Thesecould include specific threats they face and risks theyincur; differences in objectives; managerial judgment;size and complexity of the organization; operationalenvironment; sensitivity and value of data; andrequirements for system reliability, availability, andperformance.

Control ActivitiesSpecific forInformation Systems

• General Control• Application Control

There are two broad groupings of informationsystems control - general control and applicationcontrol. General control applies to all informationsystems—mainframe, minicomputer, network, andend-user environments. Application control isdesigned to cover the processing of data within theapplication software.

General Control This category includes entitywide security programplanning, management, control over data centeroperations, system software acquisition andmaintenance, access security, and application systemdevelopment and maintenance. More specifically:

• Data center and client-server operations controlsinclude backup and recovery procedures, andcontingency and disaster planning. In addition, datacenter operations controls also include job set-up andscheduling procedures and controls over operatoractivities.

GAO/AIMD-00-21.3.1 (11/99)Page 16

Page 19: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Internal Control Standards

• System software control includes control over theacquisition, implementation, and maintenance of allsystem software including the operating system,data-based management systems,telecommunications, security software, and utilityprograms.

• Access security control protects the systems andnetwork from inappropriate access and unauthorizeduse by hackers and other trespassers or inappropriateuse by agency personnel. Specific control activitiesinclude frequent changes of dial-up numbers; use ofdial-back access; restrictions on users to allow accessonly to system functions that they need; software andhardware “firewalls” to restrict access to assets,computers, and networks by external persons; andfrequent changes of passwords and deactivation offormer employees’ passwords.

• Application system development and maintenancecontrol provides the structure for safely developingnew systems and modifying existing systems.Included are documentation requirements;authorizations for undertaking projects; and reviews,testing, and approvals of development andmodification activities before placing systems intooperation. An alternative to in-house development isthe procurement of commercial software, but controlis necessary to ensure that selected software meetsthe user’s needs, and that it is properly placed intooperation.

Application Control This category of control is designed to help ensurecompleteness, accuracy, authorization, and validity ofall transactions during application processing.Control should be installed at an application’sinterfaces with other systems to ensure that all inputsare received and are valid and outputs are correct andproperly distributed. An example is computerized editchecks built into the system to review the format,existence, and reasonableness of data.

GAO/AIMD-00-21.3.1 (11/99)Page 17

Page 20: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Internal Control Standards

General and application control over computersystems are interrelated. General control supports thefunctioning of application control, and both areneeded to ensure complete and accurate informationprocessing. If the general control is inadequate, theapplication control is unlikely to function properlyand could be overridden.

Because information technology changes rapidly,controls must evolve to remain effective. Changes intechnology and its application to electroniccommerce and expanding Internet applications willchange the specific control activities that may beemployed and how they are implemented, but thebasic requirements of control will not have changed.As more powerful computers place moreresponsibility for data processing in the hands of theend users, the needed controls should be identifiedand implemented.

Information andCommunications

Information should be recorded and communicated to management and others within the entity who need it and in a form and within a time frame that enables them to carry out their internal control and other responsibilities.

For an entity to run and control its operations, it musthave relevant, reliable, and timely communicationsrelating to internal as well as external events.Information is needed throughout the agency toachieve all of its objectives.

GAO/AIMD-00-21.3.1 (11/99)Page 18

Page 21: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Internal Control Standards

Program managers need both operational andfinancial data to determine whether they are meetingtheir agencies’ strategic and annual performanceplans and meeting their goals for accountability foreffective and efficient use of resources. For example,operating information is required for development offinancial reports. This covers a broad range of datafrom purchases, subsidies, and other transactions todata on fixed assets, inventories, and receivables.Operating information is also needed to determinewhether the agency is achieving its compliancerequirements under various laws and regulations.Financial information is needed for both external andinternal uses. It is required to develop financialstatements for periodic external reporting, and, on aday-to-day basis, to make operating decisions,montinor performance, and allocate resources.Pertinent information should be identified, captured,and distributed in a form and time frame that permitspeople to perform their duties efficiently.

Effective communications should occur in a broadsense with information flowing down, across, and upthe organization. In additional to internalcommunications, management should ensure thereare adequate means of communicating with, andobtaining information from, external stakeholdersthat may have a significant impact on the agencyachieving its goals. Moreover, effective informationtechnology management is critical to achieving useful,reliable, and continuous recording andcommunication of information.

GAO/AIMD-00-21.3.1 (11/99)Page 19

Page 22: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Internal Control Standards

Monitoring

Internal control monitoring should assess the quality of performance over time and ensure that the findings of audits and other reviews are promptly resolved.

Internal control should generally be designed toassure that ongoing monitoring occurs in the courseof normal operations. It is performed continually andis ingrained in the agency’s operations. It includesregular management and supervisory activities,comparisons, reconciliations, and other actionspeople take in performing their duties.

Separate evaluations of control can also be useful byfocusing directly on the controls’ effectiveness at aspecific time. The scope and frequency of separateevaluations should depend primarily on theassessment of risks and the effectiveness of ongoingmonitoring procedures. Separate evaluations maytake the form of self-assessments as well as review ofcontrol design and direct testing of internal control.Separate evaluations also may be performed by theagency Inspector General or an external auditor.Deficiencies found during ongoing monitoring orthrough separate evaluations should becommunicated to the individual responsible for thefunction and also to at least one level of managementabove that individual. Serious matters should bereported to top management.

Monitoring of internal control should include policiesand procedures for ensuring that the findings ofaudits and other reviews are promptly resolved.Managers are to (1) promptly evaluate findings from

GAO/AIMD-00-21.3.1 (11/99)Page 20

Page 23: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Internal Control Standards

audits and other reviews, including those showingdeficiencies and recommendations reported byauditors and others who evaluate agencies’operations, (2) determine proper actions in responseto findings and recommendations from audits andreviews, and (3) complete, within established timeframes, all actions that correct or otherwise resolvethe matters brought to management’s attention. Theresolution process begins when audit or other reviewresults are reported to management, and is completedonly after action has been taken that (1) correctsidentified deficiencies, (2) produces improvements, or(3) demonstrates the findings and recommendationsdo not warrant management action.

GAO/AIMD-00-21.3.1 (11/99)Page 21

Page 24: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

Ordering Information

The first copy of each GAO report and testimony

is free. Additional copies are $2 each. Orders

should be sent to the following address,

accompanied by a check or money order made

out to the Superintendent of Documents, when

necessary. VISA and MasterCard credit cards

are accepted, also. Orders for 100 or more

copies to be mailed to a single address are

discounted 25 percent.

Orders by mail:

U.S. General Accounting Office

P.O. Box 37050

Washington, DC 20013

or visit:

Room 1100

700 4th St. NW (corner of 4th & G Sts. NW)

U.S. General Accounting Office

Washington, DC

Orders may also be placed by calling

(202) 512-6000 or by using fax number

(202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available

reports and testimony. To receive facsimile

copies of the daily list or any list from the past

30 days, please call (202) 512-6000 using a

touchtone phone. A recorded menu will provide

information on how to obtain these lists.

For information on how to access GAO reports

on the INTERNET, send an e-mail message with

"info" in the body to: [email protected]

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov

Page 25: GAO/AIMD-00-21.3.1 Standards for Internal Control in the ... · PDF fileUnited States General Accounting Office GAO Internal Control November 1999 Standards for Internal Control in

United States

General Accounting Office

Washington, D.C. 20548-0001

Official Business

Penalty for Private Use $300

Address Correction Requested

Bulk Rate

Postage & Fees Paid

GAO

Permit No. G100