Standards for Internal Controls in the Federal Government

Standards For Internal Controls In The Federal Government

GAO ! I United States General Accountng Office 1983 1 t CON T E NTS

F o re wo rd Introduction 7 Internal Control Standards 2 Explanation of General Standards 4 Explanation of Specific Standards 8 Explanation of the Audit Resolution Standard 12 FOREWORD

In 1950, the Accounting and nized that good internal controls ment," issued by the Office of Auditing Act was passed requir- would have made the com- Management and Budget ing, among other things, that mission of such wrongful acts in December 1982, and the agency heads establish and main- more difficult, Consequently, in- reports are to state whether sys- tain effective systems of internal creased at'tention is being tems meet the objectives of control. Since then, the General directed toward strengthening internal control and conform to Accounting Office (GAO) has is- internal controls to help restore standards established by GAO. sued numerous publications to confidence in Government and to This document presents the guide agencies in establishing improve its operations. internal control standards to be and maintaining effective inter- The federal Managers' followed, and covers both the pro- nal control systems. While the Financial tntegrity Act of 1982 gram management as well as the need for improved internal con- requires renewed focus on the traditional financial manage- trols has continued, development need to strengthen internal con- ment areas. From time to time, of effective systems has been trols. The act requires that as may become necessary, GAO slow. agency internal contro1 systems will issue interpretations and In the past decade, numer- be periodically evaluated and revisions to these standards. ous situations came to light that that the heads of executive We are grateful to the Gov- dramatically demonstrated the agencies report annually on their ernment officials, professional I need for controls as the Govern- systems' status. These evalua- orga nirat ions, p ubl ic account i ng ment experienced a rash of il- tions are to be made pursuant to officials, and other members of legal, unauthorized, and ques- the "Guidelines for the Evalua- the academic and financial com- tionable acts which were tion and Improvement of and munities who provided us valu- characterized as fraud, waste, Reporting on Internal Control able assistance through their and abuse. It is generally recog- Systems in the Federal Govern- comments on our draft proposa I s.

Comptroller General of the United States l

e INTRODUCTION

This document contains the reports must identify the weak- Comptroller General's internal nesses involved and describe the control standards to be followed plans for corrective action. by executive agencies in estab- The following concept of internal lishing and maintaining systems controls is useful in understand- of internal control as required by ing and applying the internal the Federal Managers' Financial control standards set forth and Integrity Act of 1982 (31 U.S.C. discussed on succeeding pages. 351 2(b)). Internal control systems are to reasonably The plan of organization ensure that the following and methods and procedures objectives are achieved: adopted by management to ensure that resource use is con- MObligations and costs sistent with laws, regulations. comply with applicable law and policies; that resources are .All assets are safeguarded safeguarded against waste, against waste, loss, unauthor- Loss, and misuse; and that reli- ized use, and misappropriation. able data are obtained, maintained, and fairly disclosed in =Revenues and expenditures reports. appficable to agency operations are recorded and accounted for The ultimate responsibility properly so that accounts and for good internal controls rests reliable financial and statistical with management. Internal con- reports may be prepared and ac- trols should not be looked upon countability of the assets may be as separate, specialized systems maintained. within an agency. Rather, they should be recognized as an inte- The act directs the heads of gral part of each system that executive agencies to: management uses to regulate =Make an annual evaluation and guide its operations. In this of their internal controls using sense, internal controls are guidelines established by the management controls. Good Office of Management and internal controls are essential to Budget (OMB). achieving the proper conduct of Government business with full =Provide annual reports to the President and Congress that accountability for the resources made available. They also facili- state whether agency systems of internal control comply with the tate the achievement of man- objectives of internal controls set agement objectives by serving as forth in the act and with the checks and balances against standards prescribed by the undesired actions. In preventing negative consequences from Comptroller General. Where sys- occurring, internal controls help tems do not comply, agency achieve the positive aims of program managers.

t INTERNAL CONTROL STAN DA R DS

The internal control stand- and adrn I ni strative functions but ards define the minimum level of are not intended to limit or inter- quality acceptable for internal fere with duly granted authority ) control systems in operation and related to development of legtsla- I constitute the criteria against tion, rulemaking, or other discre- which systems are to be evalu- tionary policymaking in an ated. These internal control agency standards apply to all operations I

General 1. Reasonable Assurance. assigned duties, as well as Internal control systems are to understand the importance of Standards provide reasonable assurance developing and implementing that the objectives of the sys- good- internal controls. terns will be accomplished. 4 4. Control Objectives. Inter- 2. Supportive Attitude. Man- nal control objectives are to be agers and employees are to main- identified or developed for each tain and demonstrate a positive agency activity and are to be logi- and supportive attitude toward in- cal, applicable, and reasonably ternal controls at all times. complete. 3. Competent Personnel. 5. Control Techniques. Inter- Managers and employees are to nal control techniques are to be have personal and professional effective and efficient in accom- integrity and are to maintain a plishing their internal control level of competence that allows objectives. them to accomplish their

2 I

Specific Standards 1. Documentation. Internal should be separated among control systems and all transac- individuals. tions and other Significant events 5. Supervision. Qualified are to be clearly documented, and continuous supervision is to and the documentation is to be be provided to ensure that inter- readily available for examination. nal control objectives are 2. Recording of Transactions achieved. and Events. Transactions and 6. Access to and Account- other significant events are to be ability for Resources. Access to promptly recorded and properly resources and records is to be classified. limited to authorized individuals, 1 3. Execution of Transactions and accountability for the cus- and Events. Transactions and tody and use of resources is to other significant events are to be be assigned and maintained. authorized and executed only by Periodic comparison shall be persons acting within the scope made of the resources with the of their authority. recorded accountability to determine whether the two E 4. Separation of Duties. Key j duties and responsibilities in au- agree. The frequency of the thoriri ng, processing, recording, comparison shalt be a function of and reviewing transactions the vulnerability of the asset.

i Audit Resolution Prompt Resolution of Audit ings and recommendations, and Standard Findings. Managers are to (1) (3)complete, within established promptly evaluate findings and time frames, all actions that cor- recommendations reported by rect or otherwise resolve the auditors, (2) determine proper matters brought to manage- I actions in response to audit find- ment's attention.

3 EXPLANATION OF GENERAL STANDARDS General internal control standards apply to all aspects of internal controls.

Reasonable Assurance

Internal control systems are The standard of reasonable Cost refers to the financial to provide reasonable assur- assurance recognizes that the measure of resources consumed ance that the objectives of the cost of internal control should in accomplishing a specified pur- systems will be accomplished. not exceed the benefit derived. pose. Cost can also represent a Reasonable assurance equates lost opportunity, such as a delay to a satisfactory level of confi- in operations, a decline in serv- dence under given considera- ice levels or productivity, or tow tions of costs, benefits, and risks. employee morale. A benefit IS The required determinations call measured by the degree to which for judgment to be exercised. the risk of failing to achieve a In exercising that judgment, stated objective is reduced. agencies should: Examples include increasing the probability of detecting fraud, W identify (1) risks inherent in waste, abuse, or error; prevent- agency operations, (2) criteria for ing an improper activity; or determining low, medium, and enhancing regulatory high risks, and (3) acceptable compliance. levels of risk under varying circumstances. W Assess risks both quantita- tively and qualitatively.

Su pportive Attitude

Managers and employees This standard requires Attitude is not reflected in are to maintain and demon- agency managers and employees any one particular aspect of strate a positive and supportive to be attentive to internai control managers' actions but rather is attitude toward internal con- matters and to take steps to pro- fostered by managers' commit- trols at all times. mote the effectiveness of the ment to achieving strong con- controls. Attitude affects the trols through actions concerning quality of performance and, as a agency organization, personnel result, the quality of internal con- practices, communication, pro- trols. A positive and supportive tection and use of resources attitude is initiated and through systematic account- fostered by management and is ability, monitoring and systems ensured when internal controls of reporting, and general leader- are a consistently high man- ship. However, one important agement priority.

4 way for management to demon- The organization of an In the final analysis, general strate its support for good inter- agency provides its management leadership is critical to maintain- nal controls is its emphasis on with the overall framework for ing a positive and supportive atti- the value of internal auditing and planning, directing, and control- tude toward internal controls. its responsiveness to information ling its operations. Good internal Adequate supervision, training, developed through internal control requires clear lines of and motivation of employees in audits. a uthorily and responsibility; the area of internal controls is appropriate reporting relation- , important. ships; and appropriate separation of authority.

Co mpet en t Personnel

Managers and employees This standard requires man- In addition, hiring and staff - are to have personal and pro- agers and their staffs to maintain ing decisions should include per- I fessional integrity and are to and demonstrate (11 personal tinent verification of education maintain a level of competence and professional integrity, (2)a and experience and, once on the that aflows them to accomphh level of skill necessary to help job, the individual should be their assigned duties, as well as ensure effective performance, given the necessary formal and understand the importance of and (3) an understanding of on-the-job training. Managers developing and implementing internal controls sufficient to who possess a good understand- good internal controls. effectiveI y discharge the ir ing of internal controls are vital responsibilities. to effective control systems. Many eiements influence Counseling and performance the integrity of rnanzgers and appraisals are also important. their staffs. For example, person- Overa II performance appra isa Is nel shauld periodically be should be based on an assess- reminded of their obligations ment of many critical factors, under an operative code of one of which should be the conduct. implementation and mainte- nance of effective internal contr o I s. Cont r o I 0b ject ives

Internal control objectives This standard requires that services, mail processing and are to be identified or devel- objectives be tailored to an agen- delivery, and printing. The four oped for each agency activity cy's operations. All operations of types of cycles obviously interact. and are to be logical, applica- an agency can generally be and controls over this interaction ble, and reasonably complete. grouped into one or more catego- must be established. For exam- ries called cycles. Cycles com- ple, a typical grant cycle would prise all specific activities (such be concerned with eligibility and, as identifying, classifying, re- if awarded, administration of the cording, and reporting rnforma- grant. At the time of award, the

tion) required to process a par- grant (program) and disburse ~ ticular transaction or event. ment (financial) cycles would Cycles should be compatible with interface to control and record an agency's organization and the payment authorization. division of responsibilities. Complying with this stand- Cycles can be categorized in ard calls for identifying the cycles various ways. For example: of agency operations and analyz- MAgency management. ing each in detail to develop the cycle control objectives. These Financial. are the internal control goals or IProgram (operational). targets to be achieved in each cycle. The objectives should be IAdm i nI strat ive. tailored to fit the specific opera- Agency management cycles tions in each agency and be con- cover the overall policy and sistent with the overall objectives plann in g, organ iza t ion, data of internal controls as set forth in processing, and audit functions. the Federal Managers' Financial Financial cycles cover the tradi- Integrity Act. tional control areas concerned In appendix B of its "Guide- with the flow of funds (revenues lines for the Evaluation and Im- and expenditures}, related provement of and Reporting on assets, and financial information. Internal Control Systems in the Program (operational) cycles are Federal Government," OM6 has those agency activities that provided a list of suggested relate to the mission(s) of the agency cycles and cycle control agency and which are peculiar to objectives. Agencies should con- a specific agency. Administrative sider this and other sources cycles are those agency activities when identifying their cycles and providing support to the agency's cycle control objectives. primary mission, such as library

6 i

Control Tech n iques

E Internal control techniques Internal control techniques To be effective, techniques are to be effective and efficient are the mechanisms by which should fulfill their intended pur- in accomplishing their internal control objectives are achieved. pose in actual application. They control objectives. Techniques include, but are not should provide the coverage they limited to, such things as specific are supposed to and operate policies, procedures, plans of when intended. As for efficiency, orga niza t i on (incl udi ng se pa ra - techniques should be designed tion of duties), and physical to derive maximum benefit with arrangements (such as locks and minimum effort. Techniques fire alarms). This standard tested for effectiveness and effi- requires that internal control ciency should be those in actual techniques continually provide a operation and should be evalu- high degree of assurance that ated over a period of time. the internal control objectives are being achieved. To do so they must be effective and efficient. EXPLANATION OF SPECIFIC STAN DAR DS

i A number of techniques are achieved. These critical tech- essential to providing the great- niques are the specific standards est assurance that the internal discussed below. control objectives wilt be

Documentation

Internal control systems This standard requires writ- trative policy, and accounting and all transactions and other ten evidence of (1) an agency's manuals. Docurnentation of significant events are to be internal control Objectives and transactions or other significant clearly documented, and the techniques and accountability events should be complete and documentation is to be readily systems and (2) all pertinent accurate and should facilitate available for examination. aspects of transactions and other tracing the transaction or event significant events of an agency. and related information from Also, the documentation must be before it occurs, while it is in available as well as easily process, to after it Is completed. accessible for examination. Corn p Iyi ng with this sta nd- Documentation of internal ard requires that the documenta- control systems should include tion of internal control systems identification of the cycles and and transactions and other sig- related objectives and tech- nificant events be purposeful and niques, and should appear in useful to managers in controlling management directives, adminis- their operations, and to auditors or others involved in analyzing 1 operations.

8 ...... , i

Recording of Transactions and Events

Transactions and other sig- Transactions must be (2)all aspects of the transaction nificant events are to be promptly recorded if pertinent while in process, and (3)its final promptly recorded and properly information is to maintain its classification in summary

classified + relevance and vaiue to manage- records. Proper classification of men t in controlling operations transactions and events is the an3 making decisions. This organization and format of standard applies to (1) the entire information on summary records process or life cycle of a transac- from which reports and tion or event and includes the statements are prepared. initiation and authorization,

Execution of Transactions and Events

Transactions and other sig- This standard deals with to managers and employees and nificant events are to be author- manage me nt ‘s decisions to should include the specific condi- ized and executed only by per- exchange, transfer, use, or tions and terms under which sons acting within the scope of commit resources for specified authorizations are to be made. their authority. purposes under specific condi- Conforming to the terms of an tions. It is the principal means of authorization means that em- assuring that only valid transac- ployees are carrying out their as- tions and other events are signed duties in accordance with entered into. Authorization directives and within the limita- should be clearly communicated tions established by management.

9 Separation of Duties

Key duties and responsibili- To reduce the risk of error, ces exist. Key duties include ties in authorizing, processing, waste, or wrongful acts or to authorizing, approving, and recording, and reviewing trans- reduce the risk of their going recording transactions; issuing actions should be separated undetected, no one individual and receiving assets; making among individuals. should control all key aspects of payments; and reviewing or au- a transaction or event. Rather, diting transactions. Collusion, duties and responsibilities should however, can reduce or destroy be assigned systematically to a the effectiveness of this internal number of individuals to ensure control standard. that effective checks and balan-

Supervision

Qualified and continuous This standard requires HSystematicaIly reviewing supervision is to be provided to supervisors to continuously each member's work to the ensure that internal control ob- review and approve the assigned extent necessary. jectives are achieved. work of their staffs. It also MApproving work at critical requires that they provide their points to ensure that work flows staffs with the necessary guid- as intended. ance and training to help ensure that errors, waste, and Assignment, review, and ap- wrongful acts are minimized and proval of a staff's work should that specific management direc- result in the proper processing of tives are achieved. transactions and events includ- ing (1) following approved proce- Assignment, review, and ap- dures and requirements, (2) proval of a staff's work requires: detecting and eliminating errors, lClea rly com rn un ica t i ng the misunderstandings, and duties, responsibilities, and ac- improper practices, and (3) dis- countabilities assigned each staff couraging wrongful acts from member occurring or from recurring.

10 Access to and Accou nta bi Ii ty for Resources

Access to resources and The basic concept behind re- Other factors affecting ac- records is to be limited to auth- stricting access to resources is to cess include the cost, portability, orized individuals, and account- help reduce the risk of unauthor- exchangeability, and the per- ability for the custody and use ized use or loss to the Govern- ceived risk of loss or improper of resources is to be assigned ment, and to help achieve the use of the resource. In addition, and maintained. Periodic directives of management. How- assigning and maintaining comparison shall be made of ever, restricting access to accou nta biIi ty for resou rces the resources with the recorded resources depends upon the ’ involves directing and communi- accountability to determine vulnerability of the resource and cating responsibility to specific whether the two agree. The the perceived risk of loss, both of individuals within an agency for frequency of the comparison which should be periodically the custody and use of resources shall be a function of the assessed. For example, access to in achieving the specifically iden- vulnerability of the asset. and accountability for highly t if ied manage me nt di rective s. vulnerable documents, such as check stocks, can be achieved by; HKeeping them locked in a safe . IAssigning or having each document assigned a sequential number. W Assigning custodial accountability to responsible individuals.

11 EXPLANATION OF THE AUDIT RESOLUTION STANDAR D

Prompt Resolution of Audit Findings

Managers are to (1) The audit resolution stand- (2)produces improvements, or promptly evaluate findings and ard requires managers to take (3) demonstrates the audit ftnd- recommendations reported by prompt, responsive action on all i~gsand recommendations are auditors, (2)determine proper findings and recommendations either invalid or do not warrant management action. actions in response to audit made by auditors. Responsive action is that which corrects findings and recommendations. Auditors are responsible for identified deficiencies. Where and (3)complete, within estab- following up on audit findings audit findings identify opportuni- and reconlmendations to ascer- lished time frames, all actions ties for improvement rather than that correct or otherwise tain that resolution has been cite deficiencies, responsive achieved. Auditors' findings and resolve the matters brought to action is that which produces recornmendations should be management's attention. irnprovements. monitored through the The audit resolution process resolution and followup begins when the results of an processes. Top management audit are reported to manage- should be kept informed through ment, and is completed only after periodic reports so it can assure action has been taken that (1 ) the quality and timeliness of ccrrects identified deficiencies, individual resolution decisions.