Standards for Internal Control in the Federal Government: The “Green Book” Kristen Kociolek Assistant Director, U.S. Government Accountability Office Harriet Richardson City Auditor, Palo Alto, CA Larry Stafford Internal Performance Auditor, Clark County, WA

Learning Objectives Understand what an exposure draft is and why the Professional Issues Committee reviews them Understand what the Green Book is and why it is relevant to local government auditors Understand key differences between COSO and the Green Book Understand ways that auditors can use the Green Book in their own work Understand ways that auditors can use the Green Book to help management in their organizations gain a better understanding of internal control

What Is the “Green Book”? Official title is, “Standards for Internal Control in the Federal Government” Similar to the Yellow Book, it is called the Green Book because of its green cover Reflects federal internal control standards required per the Federal Managers’ Financial Integrity Act (FMFIA) Serves as the base for OMB Circular A-123 Written for government: Leverages the COSO Framework Uses government terms

Green Book Through the Years 1983 Present

Reasons for Green Book Revision

From COSO to Green Book: Harmonization

Internal Control Defined: COSO vs. Green Book COSO Definition: “A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives relating to operations, reporting, and compliance.” Green Book Definition: “An integral component of an entity’s management that provides reasonable assurance that the objectives of an entity are being achieved. These objectives and related risks can be broadly classified into one or more of the three following categories: Operations – Effectiveness and efficiency of operations Reporting – Reliability of reporting for internal and external use Compliance – Compliance with applicable laws and regulations

Internal Control Objectives Internal Controls Provide Reasonable Assurance of Achieving Objectives Operations Efficiency Effectiveness Compliance Laws Regulations Reporting Reliability Internal/ External Safeguarding of Assets

The COSO Framework Relationship of Objectives and Components Direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives) COSO depicts the relationship in the form of a cube: The three objectives are represented by the columns The five components are represented by the rows The entity’s organization structure is represented by the third dimension Source: COSO

Green Book Revision Process Retained five original COSO components Adapted COSO Framework’s language to make it appropriate for a federal government standard Adapted the concepts for a government environment where appropriate Considered clarity drafting conventions Considered INTOSAI internal control guidance

Green Book Advisory Council Representation from: Federal agency management (nominated by OMB) Inspector General State and local government, including two ALGA members Academia COSO Independent public accounting firms At large

Revised Green Book: Overview Section Fundamental concepts of internal control Establishing an effective internal control system Evaluation of an effective internal control system Additional considerations

Standards: Components, Principles, and Attributes Achieve ObjectivesComponentsPrinciplesAttributes Overview Standards

5 Components Supported by 17 Principles 1.Demonstrate commitment to integrity and ethical values 2.Exercise oversight responsibility 3.Establish structure, authority, and responsibility 4.Demonstrate commitment to competence 5.Enforce accountability Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 6.Define objectives and risk tolerances 7.Identify, analyze, and respond to risks 8.Assess fraud risk 9.Identify, analyze, and respond to significant change 10.Design control activities to achieve objectives 11.Design control activities for entity’s information systems 12.Implement control activities through written policies 13.Use quality relevant information 14.Communicate internally 15.Communicate externally 16.Establish and perform monitoring activities 17.Identify and remediate deficiencies in a timely manner

Example: Component, Principle, Attributes

Example: Controls Across Components Controls embedded in other components may affect this principle Principle Component

Key Differences: Requirements of COSO vs. Green Book COSO Framework: Each of the 5 components and relevant principles are present and functioning Addresses deficiencies in general terms Documentation is a matter of judgment Green Book: Each of the 5 components, 17 principles, and relevant attributes are effectively designed, implemented, and operating Addresses deficiencies in design, operation, and implementation Specifies minimum documentation requirements

Key Differences: Overall Tone and Approach COSO vs. Green Book COSO Framework: Accommodates global operations Additional details and narrative IT general controls Focus on organization’s responsibilities for internal controls Green Book: Accommodates government operations Direct and indexed IT general and application controls Focus on management’s responsibilities for internal controls

PIC’s Response to Green Book Exposure Draft Agreed with format, content, and enhanced detail Suggestions included: Address challenges and requirements for large, complex governments Define the terms “must” and “should”; add explanatory language for difference in responsibility imparted by each term Clarify roles and responsibilities of those responsible for internal control, including requirements for reporting allegations of fraud and wrongdoing Expand examples to strengthen understanding of applicability to state and local governments Improve documentation requirements for the monitoring component Define “external auditor” to align with GAGAS

Exposure Draft Review and Next Steps Issued for comments in September 2013; response deadline of December 2, 2013; extended to February 18, comment letters with 527 comments; major themes of comments included: Clarification of requirements (must/should) Definition of key terms Applicability to state, local, and not-for-profit organizations Documentation requirements Editorial suggestions Green Book Advisory Council meeting in late May 2014 Finalize Green Book in summer 2014 GAO will publish a companion document, Internal Control Management and Evaluation Tool

Auditors’ Role in Using the Green Book In their own work: there is a linkage between internal control (Green Book) and criteria (Yellow Book): Can be used by auditors to understand criteria Findings are composed of: Condition (what is) Criteria (what should be) Cause (often relates to internal control deficiencies) Effect (result) Recommendation (as applicable) Green Book provides criteria for design, implementation, and operating effectiveness of an effective internal control system

Auditors’ Role in Using the Green Book: Control Environment – Audit Application Audit evaluated why theft occurred: $52,000 theft from despite multiple audits and 179 recommendations over 10 years to improve cash handling practices in various city departments Lack of “tone at the top” to correct the deficiencies, either at the departments audited or citywide Management focus on providing services rather than on the oversight required to safeguard assets

Auditors’ Role in Using the Green Book: Risk Assessment – Audit Application Audit evaluated the appropriateness of the Health Service trust fund balance: The Health Service Board was not sufficiently focused on risk management The Health Service Board did not identify cost containment strategies to address the risks associated with skyrocketing health care costs Insufficient oversight, strategic planning, and decision making from the Board, the Health Service System could not adequately position itself to address future issues

Auditors’ Role in Using the Green Book: Control Activities – Audit Application Audit evaluated the Pension Division’s internal control system; inadequate controls, including lack of supervision, allowed: Two employees to divert $75,690 in payments from two deceased pensioners and one fictitious pensioner into a bank account Payments totaling $2.1 million to be paid to 454 deceased pensioners over a 39-month period

Auditors’ Role in Using the Green Book: Information & Communication – Audit Application Audit evaluated agency procedures for collecting, calculating, and reporting performance-related data: Performance data collected often did not match the measure’s definition Procedures for collecting data often unreliable Reported performance data often inaccurate Performance data inaccuracies and inadequate procedures diminish transparency and accountability and affect the quality of management decisions

Auditors’ Role in Using the Green Book: Monitoring – Audit Application Audit evaluated why theft occurred; identified warning signs that there was more theft: Boat launch revenue sharply declined for three consecutive years No boat launch revenue in August 2007 – a peak boating month Management did not monitor; was unaware of decline in/lack of revenue

Auditors’ Role in Helping Management Use the Green Book Develop and provide training sessions to help management understand the components, principles, and attributes and their applicability to local government Focus on responsibilities of management Provide examples for each component, principle, and attribute Use “plain talk” Explain link to grant monitoring responsibilities Educate management through audits

Standards for Internal Control in the Federal Government: The “Green Book” Exposure Draft, previous Green Book versions, and comment letters available at:

Standards for Internal Control in the Federal Government: The “Green Book” Questions?

Contact Information Kristen Kociolek Harriet Richardson Larry Stafford