1. Standards for Internal Control in the Government Going Green Standards for Internal Control in the Federal Government 1

2. Session Objectives To discuss GAO’s revision to the Standards for Internal Control in the Federal Government (Green Book) 2

3. Green Book Through the Years 1983Present 3

4. What’s in Green Book for the Federal Government? Reflects federal internal control standards required per Federal Managers’ Financial Integrity Act (FMFIA) Serves as a base for OMB Circular A-123 Written for government Leverages the COSO Framework Uses government terms 4

5. What’s in Green Book for State and Local Governments? May be an acceptable framework for internal control on the state and local government level under proposed OMB Uniform Guidance for Federal Awards Written for government Leverages the COSO Framework Uses government terms 5

6. What’s in Green Book for Management and Auditors? Provides standards for management Provides criteria for auditors Can be used in conjunction with other standards, e.g. Yellow Book 6

7. Reasons for Green Book Revision 7

8. Revision to the Green Book What is not changing Core definition of internal control Three categories of objectives and five components of internal control Each of the five components of internal control are required for effective internal control Important role of judgment in designing, implementing and operating an internal control system and evaluating its effectiveness What is changing Changes in operating environments considered Operations and reporting objectives expanded Fundamental concepts underlying five components articulated as principles Additional consideration given to operations, compliance, and non- financial reporting objectives 8

9. Green Book Revision Proposed Timeline 9 Outreach to User Community Ongoing First GBAC meeting 5/20/2013 Public Exposure 9/3/2013- 2/18/2014 Finalize Green Book Summer 2014

10. Updated COSO Framework Released May 14, 2013 10

11. The COSO Framework Relationship of Objectives and Components Direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives) COSO depicts the relationship in the form of a cube: The three objectives are represented by the columns The five components are represented by the rows The entity’s organization structure is represented by the third dimension Page 11 Source: COSO

12. From COSO to Green Book: Harmonization COSO Green Book 12

13. Green Book Revision Process Retained five original COSO components Adapted COSO Framework’s language to make it appropriate for a federal government standard Adapted the concepts for a government environment where appropriate Considered clarity drafting conventions Considered INTOSAI internal control guidance 13

14. Green Book Advisory Council Representation from: Federal agency management (nominated by OMB) Inspector General State and local government Academia COSO Independent public accounting firms At large 14

15. Exposure Draft Comment Process Issued for comments in September 2013 (Deadline December 2, 2013; Extended through February 18, 2014) Comments sent to Green Book inbox GreenBook@gao.gov and published in GAO’s website GreenBook@gao.gov 43 Comment Letters resulting in 527 comments 15

16. Exposure Draft Comment Process CategoryComments Overall GB Comments29 Overview159 Control Environment31 Risk Assessment25 Control Activities19 Information & Communication5 Monitoring14 Glossary28 Total527 16

17. Exposure Draft Comment Process Comments from federal agencies, Inspectors General, public accounting firms, professional organizations, academia, among others Major themes of comments included but were not limited to Clarification of requirements (must/should) Definition of key terms Applicability to state, local, and not-for-profits organizations Documentation requirements Editorial suggestions 17

18. Revised Green Book: Standards for Internal Control in the Federal Government 18 Overview Standards

19. Consists of two sections: Overview Standards Establishes: Definition of internal control Categories of objectives Components and principles of internal control Requirements for effectiveness Revised Green Book: Standards for Internal Control in the Federal Government 19

20. Revised Green Book: Overview Explains fundamental concepts of internal control Addresses how components, principles, and attributes relate to an entity’s objectives Discusses management evaluation of internal control 20 Overview Standards

21. Fundamental Concepts What is internal control in Green Book? “Internal control is a process effected by an entity’s management that provides reasonable assurance that the objectives of an entity are being achieved.” What is an internal control system in Green Book? “An internal control system is a continuous built-in component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an organization’s objectives will be achieved.” 21

22. Overview: Components, Principles, and Attributes Achieve Objectives ComponentsPrinciplesAttributes 22 Overview Standards

23. Overview: Principles and Attributes 23 Overview Standards In general, all components and principles are required for an effective internal control system Principles and Attributes Entity should implement relevant principles If a principle is not relevant, document the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively Attributes contribute to the design, implementation, and operating effectiveness of principles

24. Overview: Management Evaluation An effective internal control system requires that each of the five components are: Effectively designed, implemented, and operating Operating together in an integrated manner Management evaluates the effect of deficiencies on the internal control system A component is not likely to be effective if related principles are not effective 24 Overview Standards Overview Standards

25. Overview: Additional Considerations The impact of service organizations on an entity’s internal control system Discussion of documentation requirements in the Green Book Applicability to state, local, and quasi-governmental entities as well as not-for-profits Cost/Benefit and Large/Small Entity Considerations 25 Overview Standards Overview Standards

26. Revised Green Book: Standards Control Environment Risk Assessment Control Activities Information and Communication Monitoring 26 Overview Standards

27. Revised Green Book: Standards Explains principles for each component Includes application material for each attribute 27 Overview Standards

28. Revised Green Book: Principles 28

29. Component, Principle, Attribute 29

30. Control Environment 30

31. Risk Assessment 31

32. Control Activities 32

33. Information & Communication 33

34. Monitoring 34

35. Controls Across Components 35

36. Other Key Considerations Standards vs. Framework Documentation Requirements O4.08 lists the documentation requirements found in the principles which represent the minimum level of documentation necessary for an effective internal control system. Consideration of attributes O3.09 discusses how management considers the design, implementation, and operating effectiveness of the attributes for each principle 36

37. Documentation Requirements Control Environment 3.12: Management should develop and maintain documentation of its internal control system. Control Activities 12.03: Management should document in policies the internal control responsibilities of the organization. 37

38. Documentation Requirements (cont.) Monitoring 16.12: Management should evaluate and document the results of ongoing monitoring and separate evaluations to identify internal control issues. 17.07: Management should evaluate and document internal control issues and determine appropriate corrective actions for internal control deficiencies on a timely basis. 17.09: Management should complete and document corrective actions to remediate internal control deficiencies on a timely basis. 38

39. The Green Book in Action Relationship between the Green Book and Yellow Book 39

40. Green Book and Yellow Book Can be used by management to understand requirements Can be used by auditors to understand criteria 40

41. The Yellow Book: Framework for Audits Findings are composed of Condition (What is) Criteria (What should be) Cause Effect (Result) Recommendation (as applicable) 41

42. Linkage Between Criteria (Yellow Book) and Internal Control (Green Book) Green Book provides criteria for the design, implementation, and operating effectiveness of an effective internal control system 42

43. The Yellow Book: Framework for Audits Findings are composed of Condition (What is) Criteria (What should be) Cause Effect (Result) Recommendation (as applicable) 43

44. Linkage Between Findings (Yellow Book) and Internal Control (Green Book) Findings may have causes that relate to internal control deficiencies 44

45. Implications of Ineffective Internal Controls More than $154 Million in Questioned and Unsupported Costs in [Grant Recipients] Proposed Budget More than $6.3 Million of Questioned Costs at the University of [Green’s Higher Education] Internal Controls Over [Entity’s] Staff Retreats Could Be Improved Additional Audit Work Confirms $88 Million of Unallowable Contingency Costs in Construction Budget Improper Release of Personally Identifiable Information Page 45

46. Where to Find the Green Book The Green Book is on GAO’s website at: www.gao.gov/greenbook www.gao.gov/greenbook For technical assistance, contact us at: greenbook@gao.gov greenbook@gao.gov 46

47. Thank You Questions? 47