GAO-01-1008G Internal Control Management and Evaluation Tool

GAO

United States General Accounting Office

Internal Control Standards

August 2001

Internal Control

Management and

Evaluation Tool

GAO-01-1008G

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)

PREFACE

August 2001

The General Accounting Office (GAO) issues standards for internal control in the federal

government as required by 31 U.S.C. 3512(c), commonly referred to as the Federal Managers’

Financial Integrity Act of 1982. GAO first issued the standards in 1983. They became widely

known throughout the government as the “Green Book.” Since then, changes in information

technology, emerging issues involving human capital management, and requirements of recent

financial management-related legislation have prompted renewed focus on internal control.

Consequently, GAO revised the standards and reissued them as Standards for Internal Control in

the Federal Government (GAO/AIMD-00-21.3.1, November 1999). These standards provide the

overall framework for establishing and maintaining internal control and for identifying and

addressing major performance challenges and areas at greatest risk for fraud, waste, abuse, and

mismanagement.

We are issuing this Management and Evaluation Tool, which is based upon GAO’s Standards

for Internal Control in the Federal Government, to assist agencies in maintaining or

implementing effective internal control and, when needed, to help determine what, where, and

how improvements can be implemented. Although this tool is not required to be used, it is

intended to provide a systematic, organized, and structured approach to assessing the internal

control structure. It is one in a series of related documents we have issued to assist agencies in

improving or maintaining effective operations. (See the last page of this document for a list of

Related Products 71

Abbreviations

CFO Chief Financial Officer

COSO Committee of Sponsoring Organizations of the Treadway Commission

FAM Financial Audit Manual

FFMIA Federal Financial Management Improvement Act of 1996

FISCAM Federal Information System Controls Audit Manual

FMFIA Federal Managers’ Financial Integrity Act of 1982

GAO General Accounting Office

GPRA Government Performance and Results Act of 1993

OMB Office of Management and Budget

OPM Office of Personnel Management

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 4

(BLANK)

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 5

INTRODUCTION

As federal managers strive to achieve their agency’s missions and goals and provide

accountability for their operations, they need to continually assess and evaluate their internal

control structure to assure that it is well designed and operated, appropriately updated to meet

changing conditions, and provides reasonable assurance that the objectives of the agency are

being achieved. Specifically, managers need to examine internal control to determine how well

it is performing, how it may be improved, and the degree to which it helps identify and address

major risks for fraud, waste, abuse, and mismanagement.

Using This Document

This document is an Internal Control Management and Evaluation Tool. Although this tool is

not required to be used, it is intended to help managers and evaluators determine how well an

agency’s internal control is designed and functioning and help determine what, where, and how

improvements, when needed, may be implemented.

This tool is based upon the guidance provided in GAO’s Standards for Internal Control in the

Federal Government (GAO/AIMD-00-21.3.1, November 1999). That document provides the

context for the use and application of this tool. Consequently, users of this tool (and managers

and staff in general) should become familiar with the standards provided in that document. In

addition, it would be helpful if users who are not experienced in internal control matters have

access to persons who have such experience.

The tool is presented in five sections corresponding to the five standards for internal control:

control environment, risk assessment, control activities, information and communications, and

monitoring. Each section contains a list of major factors to be considered when reviewing

internal control as it relates to the particular standard. These factors represent some of the more

important issues addressed by the standard. Included under each factor are points and subsidiary

points that users should consider when addressing the factor. The points and subsidiary points

are intended to help users consider specific items that indicate the degree to which internal

control is functioning. Users should apply informed judgment when considering the specific

points and subsidiary points to determine (1) the applicability of the point to the circumstances,

(2) whether the agency has actually been able to implement, perform, or apply the point, (3) any

control weaknesses that may actually result, and (4) the extent to which the point impacts on the

agency’s ability to achieve its mission and goals.

Space is provided beside each point and subsidiary point for the user to note comments or

provide descriptions of the circumstances affecting the issue. Comments and descriptions

usually will not be of the “yes/no” type, but will generally include information on how the

agency does or does not address the issue. Users could also use this comment space to indicate

whether any problems found might be major or minor control weaknesses. This tool is intended

to help users reach a conclusion about the agency’s internal control as it pertains to the particular

standard. In this regard, a space is provided at the end of each section for the user to note the

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 6

general overall assessment and to identify actions that might need to be taken or considered.

Additional space is provided for an overall summary assessment at the end of the tool.

It should be understood that this tool is not an authoritative part of the standards for internal

control. Rather, it is intended as a supplemental guide that federal managers and evaluators may

use in assessing the effectiveness of internal control and identifying important aspects of control

in need of improvement. Users should keep in mind that this tool is a starting point and that it

can and should be modified to fit the circumstances, conditions, and risks relevant to the

situation of each agency. Not all of the points or subsidiary points need to be considered for

every agency or activity, depending upon the type of mission being performed and the

cost/benefit aspect of a particular control item. Users should consider the relevant points and

subsidiary points and delete or add others as appropriate to their particular entity or

circumstances. In addition, users should note that this document follows the format of the

standards for internal control. Users may rearrange or reorganize the points and subsidiary

points to fit their particular needs or desires.

This Tool Can Help

This tool could be useful in assessing internal control as it relates to the achievement of the

objectives in any of the three major control categories, i.e., effectiveness and efficiency of

operations, reliability of financial reporting, and compliance with laws and regulations. It may

also be useful with respect to the subset objective of safeguarding assets from fraud, waste,

abuse, or misuse. In addition, the tool may be used when considering internal control as it relates

to any of the various activities of an agency, such as administration, human capital management,

financial management, acquisition and procurement, and provision of goods or services.

Furthermore, the tool may be helpful in meeting the reporting requirements of 31 U.S.C.

3512(c), commonly referred to as the Federal Managers’ Financial Integrity Act (FMFIA) of

1982. The FMFIA requires annual reporting on agency internal control. The act directs the head

of each executive agency to provide an annual statement as to whether the agency’s internal

control complies with the prescribed standards. Essentially, this requires the report to make a

declaration as to the effectiveness of the internal control. If the internal control does not comply

with such requirements, the report is to identify material weaknesses and the plans and schedule

for correcting those weaknesses. Office of Management and Budget (OMB) Circular A-123,

Management Accountability and Control, revised June 21, 1995, provides agencies guidance on

how to satisfy the FMFIA reporting requirements.

Related Resources

It should be further noted that this tool is not the only resource available for assessing internal

control. It should be used in conjunction with other resources, such as the guidance provided in

OMB Circular A-123, Management Accountability and Control, revised June 21, 1995.

Financial statement auditors should follow GAO’s Financial Audit Manual (FAM)

(GAO/AFMD-12.19.5A/B, December 1997), as amended. The FAM provides the process and

OMB Circular A-123 uses the term “management control,” whereas this document uses the term “internal

control.” GAO’s internal control standards state that these terms are synonymous.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 7

methodology the auditor is to follow when reviewing internal control in financial audits. The

financial auditor considers internal control primarily as it relates to financial reporting and

compliance with laws and regulations. Relating to internal control, the FAM focuses on the

auditor’s identification and assessment of risk as it relates to the financial statement audit

objectives. On the other hand, this tool discusses internal control from a broader, overall entity

perspective based on the internal control standards and focusing on management’s operational

and program objectives. Although the focus of each document is different, they are

complementary.

This Management and Evaluation Tool was developed using many different sources of

information and ideas. The primary source was, of course, GAO’s Standards for Internal

Control in the Federal Government. Additional guidance was obtained from the “Evaluation

Tools” section of Internal Control – Integrated Framework, by the Committee of Sponsoring

Organizations of the Treadway Commission (COSO), issued in September 1992. Consideration

was given to the requirements of pertinent legislation, including the Federal Managers’ Financial

Integrity Act (FMFIA) of 1982, the Chief Financial Officers Act of 1990, the Government

Performance and Results Act (GPRA) of 1993, and the Federal Financial Management

Improvement Act (FFMIA) of 1996. Further guidance was developed using prior GAO

publications, including Human Capital: A Self-Assessment Checklist for Agency Leaders

(GAO/OGC-00-14G, September 2000, Version 1) and the Federal Information System Controls

Audit Manual (FISCAM) (GAO/AIMD-12.19.6, January 1999). Finally, essential material was

also developed based on the many years of experience of GAO evaluators and analysts in

reviewing and assessing federal agency internal control.

This publication is one in a series of documents issued by GAO to assist agencies in improving

or maintaining effective operations. See the last page of this document for a list of related

products.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 8

(BLANK)

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 9

CONTROL ENVIRONMENT

According to the first internal control standard, which relates to control environment,

management and employees should establish and maintain an environment throughout the

organization that sets a positive and supportive attitude toward internal control and conscientious

management. There are several key factors that affect the accomplishment of this goal.

Managers and evaluators should consider each of these control environment factors when

determining whether a positive control environment has been achieved. The factors that should

be focused on are listed below. The list is a beginning point. It is not all-inclusive and not every

item will apply to every agency or activity within the agency. Even though some of the

functions are subjective in nature and require the use of judgment, they are important in

achieving control environment effectiveness.

Integrity and Ethical Values Comments/Descriptions

1. The agency has established and uses a formal code or

codes of conduct and other policies communicating

appropriate ethical and moral behavioral standards

and addressing acceptable operational practices and

conflicts of interest. Consider the following:

• The codes are comprehensive in nature and directly

address issues such as improper payments,

appropriate use of resources, conflicts of interest,

political activities of employees, acceptance of gifts

or donations or foreign decorations, and use of due

professional care.

• The codes are periodically acknowledged by

signature from all employees.

• Employees indicate that they know what kind of

behavior is acceptable and unacceptable, what

penalties unacceptable behavior may bring, and what

to do if they become aware of unacceptable behavior.

2. An ethical tone has been established at the top of the

organization and has been communicated throughout

the agency. Consider the following:

Executive branch employees are subject to standards and principles of ethical conduct in accordance with

5CFR2635 and Executive Orders 12674 and 12731.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 10

Integrity and Ethical Values Comments/Descriptions

• Management fosters and encourages an agency

culture that emphasizes the importance of integrity

and ethical values. This might be achieved through

oral communications in meetings, via one-on-one

discussions, and by example in day-to-day activities.

• Employees indicate that peer pressure exists for

appropriate moral and ethical behavior.

• Management takes quick and appropriate action as

soon as there are any signs that a problem may exist.

3. Dealings with the public, Congress, employees,

suppliers, auditors, and others are conducted on a high

ethical plane. Consider the following:

• Financial, budgetary, and operational/programmatic

reports to Congress, OMB, Treasury, the Office of

Personnel Management (OPM), and the public are

proper and accurate (not intentionally misleading).

• Management cooperates with auditors and other

evaluators, discloses known problems to them, and

values their comments and recommendations.

• Underbillings by suppliers or overpayments by users

or customers are quickly corrected.

• The agency has a well-defined and understood

process for dealing with employee claims and

concerns in a timely and appropriate manner.

4. Appropriate disciplinary action is taken in response to

departures from approved policies and procedures or

violations of the code of conduct. Consider the

following:

• Management takes action when there are violations of

policies, procedures, or the code(s) of conduct.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 11

Integrity and Ethical Values Comments/Descriptions

• The types of disciplinary actions that can be taken are

widely communicated throughout the agency so that

others know that if they behave improperly, they will

face similar consequences.

5. Management appropriately addresses intervention or

overriding internal control. Consider the following:

• Guidance exists concerning the circumstances and

frequency with which intervention may be needed,

and the management levels which may take such

action.

• Any intervention or overriding of internal control is

fully documented as to reasons and specific actions

taken.

• Overriding of internal control by low-level

management personnel is prohibited except in

emergency situations, and upper-level management is

immediately notified and the circumstances are

documented.

6. Management removes temptation for unethical

behavior. Consider the following:

• Management has a sound basis for setting realistic

and achievable goals and does not pressure

employees to meet unrealistic ones.

• Management provides fair, nonextreme incentives (as

opposed to unfair and unnecessary temptations) to

help ensure integrity and adherence to ethical values.

• Compensation and promotion are based on

achievements and performance.

Commitment to Competence Comments/Descriptions

1. Management has identified and defined the tasks

required to accomplish particular jobs and fill the

various positions. Consider the following:

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 12

Commitment to Competence Comments/Descriptions

• Management has analyzed the tasks that need to be

performed for particular jobs and given consideration

to such things as the level of judgment required and

the extent of supervision necessary.

• Formal job descriptions or other means of identifying

and defining specific tasks required for job positions

have been established and are up-to-date.

2. The agency has performed analyses of the knowledge,

skills, and abilities needed to perform jobs

appropriately. Consider the following:

• The knowledge, skills, and abilities needed for

various jobs have been identified and made known to

employees.

• Evidence exists that the agency attempts to assure that

employees selected for various positions have the

requisite knowledge, skills, and abilities.

3. The agency provides training and counseling in order

to help employees maintain and improve their

competence for their jobs. Consider the following:

• There is an appropriate training program to meet the

needs of all employees.

• The agency emphasizes the need for continuing

training and has a control mechanism to help ensure

that all employees actually received appropriate

training.

• Supervisors have the necessary management skills

and have been trained to provide effective job

performance counseling.

• Performance appraisals are based on an assessment of

critical job factors and clearly identify areas in which

the employee is performing well and areas that need

improvement.

• Employees are provided candid and constructive job

performance counseling.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 13

Commitment to Competence Comments/Descriptions

4. Key senior-level employees have a demonstrated

ability in general management and extensive practical

experience in operating governmental or business

entities.

Management’s Philosophy and Operating Style Comments/Descriptions

1. Management has an appropriate attitude toward risk-

taking, and proceeds with new ventures, missions, or

operations only after carefully analyzing the risks

involved and determining how they may be minimized

or mitigated.

2. Management enthusiastically endorses the use of

performance-based management.

3. There has not been excessive personnel turnover in key

functions, such as operations and program

management, accounting, or internal audit, that would

indicate a problem with the agency’s emphasis on

internal control. Consider the following:

• There has not been excessive turnover of supervisory

personnel related to internal control problems, and

there is a strategy for dealing with turnover related to

constraints and limitations such as salary caps.

• Key personnel have not quit unexpectedly.

• Personnel turnover has not been so great as to impair

internal control as a result of employing many people

new to their jobs and unfamiliar with the control

activities and responsibilities.

• There is no pattern to personnel turnover that would

indicate a problem with the emphasis that

management places on internal control.

4. Management has a positive and supportive attitude

toward the functions of accounting, information

management systems, personnel operations,

monitoring, and internal and external audits and

evaluations. Consider the following:

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 14

Management’s Philosophy and Operating Style Comments/Descriptions

• The financial accounting and budgeting operations

are considered essential to the well-being of the

organization and viewed as methods for exercising

control over the entity’s various activities.

• Management regularly relies on accounting/financial

and programmatic data from its systems for decision-

making purposes and performance evaluation.

• If the accounting operation is decentralized, unit

accounting personnel also have reporting

responsibility to the central financial officer(s).

• The financial management, accounting operations,

and budget execution operations are under the

direction of the Chief Financial Officer (CFO) and

strong synchronization and coordination exists

between budgetary and proprietary financial

accounting activities.

• Management looks to the information management

function for critical operating data and supports

efforts to make improvements in the systems as

technology advances.

• Personnel operations have a high priority and senior

executives emphasize the importance of good human

capital management.

• Management places a high degree of importance on

the work of the Inspector General, external audits,

and other evaluations and studies and is responsive to

information developed through such products.

5. Valuable assets and information are safeguarded from

unauthorized access or use.

6. There is frequent interaction between senior

management and operating/program management,

especially when operating from geographically

dispersed locations.

Specific subsidiary points to consider with regard to physical control over vulnerable assets are discussed

under the section on “Control Activities,” under “Common Categories of Control Activities,” 5

point.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 15

Management’s Philosophy and Operating Style Comments/Descriptions

7. Management has an appropriate attitude toward

financial, budgetary, and operational/programmatic

reporting. Consider the following:

• Management is informed and involved in critical

financial reporting issues and supports a conservative

approach toward the application of accounting

principles and estimates.

• Management discloses all financial, budgetary, and

programmatic information needed to fully understand

the operations and financial condition of the agency.

• Management avoids focus on short-term reported

results.

• Personnel do not submit inappropriate or inaccurate

reports in order to meet targets.

• Facts are not exaggerated and budgetary estimates are

not stretched to a point of unreasonableness.

Organizational Structure Comments/Descriptions

1. The agency’s organizational structure is appropriate

for its size and the nature of its operations. Consider

the following:

• The organizational structure facilitates the flow of

information throughout the agency.

• The organizational structure is appropriately

centralized or decentralized, given the nature of its

operations, and management has clearly articulated

the considerations and factors taken into account in

balancing the degree of centralization versus

decentralization.

2. Key areas of authority and responsibility are defined

and communicated throughout the organization.

Consider the following:

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 16

Organizational Structure Comments/Descriptions

• Executives in charge of major activities or functions

are fully aware of their duties and responsibilities.

• An accurate and updated organizational chart

showing key areas of responsibility is provided to all

employees.

• Executives and key managers understand their

internal control responsibilities and ensure that their

staff also understand their own responsibilities.

3. Appropriate and clear internal reporting relationships

have been established. Consider the following:

• Reporting relationships have been established and

effectively provide managers information they need

to carry out their responsibilities and perform their

jobs.

• Employees are aware of the established reporting

relationships.

• Mid-level managers can easily communicate with

senior operating executives.

4. Management periodically evaluates the organizational

structure and makes changes as necessary in response

to changing conditions.

5. The agency has the appropriate number of employees,

particularly in managerial positions. Consider the

following:

• Managers and supervisors have time to carry out their

duties and responsibilities.

• Employees do not have to work excessive overtime or

outside the ordinary workweek to complete assigned

tasks.

• Managers and supervisors are not fulfilling the roles

of more than one employee.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 17

Assignment of Authority and Responsibility Comments/Descriptions

1. The agency appropriately assigns authority and

delegates responsibility to the proper personnel to deal

with organizational goals and objectives. Consider the

following:

• Authority and responsibility are clearly assigned

throughout the organization and this is clearly

communicated to all employees.

• Responsibility for decision-making is clearly linked

to the assignment of authority, and individuals are

held accountable accordingly.

• Along with increased delegation of authority and

responsibility, management has effective procedures

to monitor results.

2. Each employee knows (1) how his or her actions

interrelate to others considering the way in which

authority and responsibilities are assigned, and (2) is

aware of the related duties concerning internal control.

Consider the following:

• Job descriptions clearly indicate the degree of

authority and accountability delegated to each

position and the responsibilities assigned.

• Job descriptions and performance evaluations contain

specific references to internal control-related duties,

responsibilities, and accountability.

3. The delegation of authority is appropriate in relation

to the assignment of responsibility. Consider the

following:

• Employees at the appropriate levels are empowered to

correct problems or implement improvements.

• There is an appropriate balance between the

delegation of authority at lower levels to “get the job

done” and the involvement of senior-level personnel.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 18

Human Resource Policies and Practices Comments/Descriptions

1. Policies and procedures are in place for hiring,

orienting, training, evaluating, counseling, promoting,

compensating, disciplining, and terminating

employees. Consider the following:

• Management communicates information to recruiters

about the type of competencies needed for the work

or participates in the hiring process.

• The agency has standards or criteria for hiring

qualified people, with emphasis on education,

experience, accomplishment, and ethical behavior.

• Position descriptions and qualifications are in

accordance with OPM guidance and standardized

throughout the agency for similar jobs.

• A training program has been established and includes

orientation programs for new employees and ongoing

training for all employees.

• Promotion, compensation, and rotation of employees

are based on periodic performance appraisals.

• Performance appraisals are linked to the goals and

objectives included in the agency’s strategic plan.

• The importance of integrity and ethical values is

reflected in performance appraisal criteria.

• Employees are provided with appropriate feedback

and counseling on their job performance and

suggestions for improvements.

• Disciplinary or remedial action is taken in response to

violations of policies or ethical standards.

• Employment is terminated, following established

policies, when performance is consistently below

standards or there are significant and serious

violations of policy.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 19

Human Resource Policies and Practices Comments/Descriptions

• Management has established criteria for employee

retention and considers the effect upon operations if

large numbers of employees are expected to leave or

retire in a given period.

2. Background checks are conducted on candidates for

employment. Consider the following:

• Candidates who change jobs often are given

particularly close attention.

• Hiring standards require investigations for criminal

records for all potential employees.

• References and previous employers are contacted.

• Educational and professional certifications are

confirmed.

3. Employees are provided a proper amount of

supervision. Consider the following:

• Employees receive guidance, review, and on-the-job

training from supervisors to help ensure proper work

flow and processing of transactions and events,

reduce misunderstandings, and discourage wrongful

acts.

• Supervisory personnel ensure that staff are aware of

their duties and responsibilities and management’s

expectations.

Oversight Groups Comments/Descriptions

1. Within the agency, there are mechanisms in place to

monitor and review operations and programs.

Consider the following:

• An Inspector General, who is independent from

management, audits and reviews agency activities.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 20

Oversight Groups Comments/Descriptions

• The agency has an audit committee or senior

management council consisting of high-level line and

staff executives that review the internal audit work

and coordinate closely with the Inspector General and

external auditors.

• If there is an internal audit operation it reports to the

agency head.

• The internal audit function reviews that agency’s

activities and systems and provides information,

analyses, appraisals, recommendations, and counsel

to management.

2. The agency works closely with executive branch

oversight organizations. Consider the following:

• The agency has a good working relationship with

OMB, and major officials, including the CFO, meet

regularly with OMB personnel to discuss areas such

as financial and budgetary reporting, internal control,

and management’s performance.

• High-level agency personnel maintain good working

relationships with other executive branch agencies

that exercise multi-agency control responsibilities,

such as the Department of the Treasury, the General

Services Administration, and OPM.

3. The agency maintains a close relationship with

Congress in general and oversight committees in

particular. Consider the following:

• The agency provides Congress and oversight

committees with timely and accurate information to

allow monitoring of agency activities, including

review of the agency’s (1) mission and goals,

(2) performance reporting, and (3) financial position

and operating results.

Agencies may or may not have an internal audit function separate and apart from the Inspector General.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 21

Oversight Groups Comments/Descriptions

• High-level agency officials meet regularly with

congressional and GAO staff to discuss major issues

affecting operations, internal control, performance,

and other major agency activities and programs.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 22

Control Environment Summary Section

Provide General Conclusions and Actions Needed Here:

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 23

RISK ASSESSMENT

The second internal control standard addresses risk assessment. A precondition to risk

assessment is the establishment of clear, consistent agency goals and objectives at both the entity

level and at the activity (program or mission) level. Once the objectives have been set, the

agency needs to identify the risks that could impede the efficient and effective achievement of

those objectives at the entity level and the activity level. Internal control should provide for an

assessment of the risks the agency faces from both internal and external sources. Once risks

have been identified, they should be analyzed for their possible effect. Management then has to

formulate an approach for risk management and decide upon the internal control activities

required to mitigate those risks and achieve the internal control objectives of efficient and

effective operations, reliable financial reporting, and compliance with laws and regulations. A

manager or evaluator will focus on management's processes for objective setting, risk

identification, risk analysis, and management of risk during times of change. Listed below are

factors a user might consider. The list is a beginning point. It is not all-inclusive nor will every

item apply to every agency or activity within the agency. Even though some of the functions and

points may be subjective in nature and require the use of judgment, they are important in

performing risk assessment.

Establishment of Entitywide Objectives Comments/Descriptions

1. The agency has established entitywide objectives that

provide sufficiently broad statements and guidance

about what the agency is supposed to achieve, yet are

specific enough to relate directly to the agency.

Consider the following:

• Management has established overall entitywide

objectives in the form of mission, goals, and

objectives, such as those defined in strategic and

annual performance plans developed under the

GPRA.

• The entitywide objectives relate to and stem from

program requirements established by legislation.

• The entitywide objectives are specific enough to

clearly apply to the agency instead of applying to all

agencies.

2. Entitywide objectives are clearly communicated to all

employees, and management obtains feedback

signifying that the communication has been effective.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 24

Establishment of Entitywide Objectives Comments/Descriptions

3. There is a relationship and consistency between the

agency’s operational strategies and the entitywide

objectives. Consider the following:

• Strategic plans support the entitywide objectives.

• Strategic plans address resource allocations and

priorities.

• Strategic plans and budgets are designed with an

appropriate level of detail for various management

levels.

• Assumptions made in strategic plans and budgets are

consistent with the agency’s historical experience and

current circumstances.

4. The agency has an integrated management strategy

and risk assessment plan that considers the entitywide

objectives and relevant sources of risk from internal

management factors and external sources and

establishes a control structure to address those risks.

Establishment of Activity-Level Objectives Comments/Descriptions

1. Activity-level (program or mission-level) objectives

flow from and are linked with the agency’s entitywide

objectives and strategic plans. Consider the following:

• All significant activities are adequately linked to the

entitywide objectives and strategic plans.

• Activity-level objectives are reviewed periodically to

assure that they have continued relevance.

2. Activity-level objectives are complementary, reinforce

each other, and are not contradictory.

3. The activity-level objectives are relevant to all

significant agency processes. Consider the following:

• Objectives have been established for all the key

operational activities and the support activities.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 25

Establishment of Activity-Level Objectives Comments/Descriptions

• Activity-level objectives are consistent with effective

past practices and performance, and are consistent

with any industry or business norms that may be

applicable to the agency’s operations.

4. Activity-level objectives include measurement criteria.

5. Agency resources are adequate relative to the activity-

level objectives. Consider the following:

• The resources needed to meet the objectives have

been identified.

• If adequate resources are not available, management

has plans to acquire them.

6. Management has identified those activity-level

objectives that are critical to the success of the overall

entitywide objectives. Consider the following:

• Management has identified the things that must occur

or happen if the entitywide objectives are to be met.

• The critical activity-level objectives receive particular

attention and review from management and their

performance is monitored regularly.

7. All levels of management are involved in establishing

the activity-level objectives and are committed to their

achievement.

Risk Identification Comments/Descriptions

1. Management comprehensively identifies risk using

various methodologies as appropriate. Consider the

following:

• Qualitative and quantitative methods are used to

identify risk and determine relative risk rankings on a

scheduled and periodic basis.

• How risk is to be identified, ranked, analyzed, and

mitigated is communicated to appropriate staff.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 26

Risk Identification Comments/Descriptions

• Risk identification and discussion occur in senior-

level management conferences.

• Risk identification takes place as a part of short-term

and long-term forecasting and strategic planning.

• Risk identification occurs as a result of consideration

of findings from audits, evaluations, and other

assessments.

• Risks that are identified at the employee and mid-

management level are brought to the attention of

senior-level managers.

2. Adequate mechanisms exist to identify risks to the

agency arising from external factors. Consider the

following:

• The agency considers the risks associated with

technological advancements and developments.

• Consideration is given to risks arising from the

changing needs or expectations of Congress, agency

officials, and the public.

• Risks posed by new legislation or regulations are

identified.

• Risks to the agency as a result of possible natural

catastrophes or criminal or terrorist actions are taken

into account.

• Identification of risks resulting from business,

political, and economic changes are determined.

• Consideration is given to the risks associated with

major suppliers and contractors.

• The agency carefully considers any risks resulting

from its interactions with various other federal

entities and parties outside the government.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 27

Risk Identification Comments/Descriptions

3. Adequate mechanisms exist to identify risks to the

agency arising from internal factors. Consider the

following:

• Risks resulting from downsizing of agency operations

and personnel are considered.

• The agency identifies risks associated with business

process reengineering or redesign of operating

processes.

• Consideration is given to risks posed by disruption of

information systems processing and the extent to

which backup systems are available and can be

implemented.

• The agency identifies any potential risks due to highly

decentralized program operations.

• Consideration is given to possible risks resulting from

the lack of qualifications of personnel hired or the

extent to which they have been trained or not trained.

• Risks resulting from heavy reliance on contractors or

other related parties to perform critical agency

operations are identified.

• The agency identifies any risks that might be

associated with major changes in managerial

responsibilities.

• Risks resulting from unusual employee access to

vulnerable assets are considered.

• Risk identification activities consider certain human

capital-related risks, such as the inability to provide

succession planning and retain key personnel who can

affect the ability of the agency or program activity to

function effectively, and the inadequacy of

compensation and benefit programs to keep the

agency competitive with the private sector for labor.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 28

Risk Identification Comments/Descriptions

• Risks related to the availability of future funding for

new programs or the continuation of current programs

are assessed.

4. In identifying risk, management assesses other factors

that may contribute to or increase the risk to which the

agency is exposed. Consider the following:

• Management considers any risks related to past

failures to meet agency missions, goals, or objectives

or failures to meet budget limitations.

• Consideration is given to risks indicated by a history

of improper program expenditures, violations of

funds control, or other statutory noncompliance.

• The agency identifies any risks inherent to the nature

of its mission or to the significance and complexity of

any specific programs or activities it undertakes.

5. Management identifies risks both entitywide and for

each significant activity-level of the agency.

Risk Analysis Comments/Descriptions

1. After the risks to the agency have been identified,

management undertakes a thorough and complete

analysis of their possible effect. Consider the

following:

• Management has established a formal process to

analyze risks, and that process may include informal

analysis based on day-to-day management activities.

• Criteria have been established for determining low,

medium, and high risks.

• Appropriate levels of management and employees are

involved in the risk analysis.

• The risks identified and analyzed are relevant to the

corresponding activity objective.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 29

Risk Analysis Comments/Descriptions

• Risk analysis includes estimating the risk’s

significance.

• Risk analysis includes estimating the likelihood and

frequency of occurrence of each risk and determining

whether it falls into the low, medium, or high-risk

category.

• A determination is made on how best to manage or

mitigate the risk and what specific actions should be

taken.

2. Management has developed an approach for risk

management and control based on how much risk can

be prudently accepted. Consider the following:

• The approach can vary from one agency to another

depending upon variances in risks and how much risk

can be tolerated, but seems appropriate to the agency.

• The approach is designed to keep risks within levels

judged to be appropriate and management takes

responsibility for setting the tolerable risk level.

• Specific control activities are decided upon to manage

or mitigate specific risks entitywide and at each

activity level, and their implementation is monitored.

Managing Risk During Change Comments/Descriptions

1. The agency has mechanisms in place to anticipate,

identify, and react to risks presented by changes in

governmental, economic, industry, regulatory,

operating, or other conditions that can affect the

achievement of entitywide or activity-level goals and

objectives. Consider the following:

• All activities within the agency that might be

significantly affected by changes are considered in

the process.

• Routine changes are addressed through the

established risk identification and analysis processes.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 30

Managing Risk During Change Comments/Descriptions

• Risks resulting from conditions that are significantly

changing are addressed at sufficiently high levels

within the agency so that their full impact on the

organization is considered and appropriate actions are

taken.

2. The agency gives special attention to risks presented by

changes that can have a more dramatic and pervasive

effect on the entity and may demand the attention of

senior officials. Consider the following:

• The agency is especially attentive to risks caused by

the hiring of new personnel to occupy key positions

or by high personnel turnover in any particular area.

• Mechanisms exist to assess the risks posed by the

introduction of new or changed information systems

and risks involved in training employees to use the

new systems and to accept the changes.

• Management gives special consideration to the risks

presented by rapid growth and expansion or rapid

downsizing and the effects on systems capabilities

and revised strategic plans, goals, and objectives.

• Consideration is given to the risks involved when

introducing major new technological developments

and applications and incorporating them into the

operating processes.

• The risks are extensively analyzed whenever the

agency begins the production or provision of new

outputs or services.

• Risks resulting from the establishment of operations

in a new geographical area are assessed.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 31

Risk Assessment Summary Section

Provide General Conclusions and Actions Needed Here:

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 32

(BLANK)

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 33

CONTROL ACTIVITIES

The third internal control standard addresses control activities. Internal control activities are the

policies, procedures, techniques, and mechanisms that help ensure that management’s directives

to mitigate risks identified during the risk assessment process are carried out. Control activities

are an integral part of the agency’s planning, implementing, and reviewing. They are essential

for proper stewardship and accountability for government resources and for achieving effective

and efficient program results.

Control activities occur at all levels and functions of the agency. They include a wide range of

diverse activities, such as approvals, authorizations, verifications, reconciliations, performance

reviews, security activities, and the production of records and documentation. A manager or

evaluator should focus on control activities in the context of the agency’s management directives

to address risks associated with established objectives for each significant activity (program or

mission). Therefore, a manager or evaluator will consider whether control activities relate to the

risk-assessment process and whether they are appropriate to ensure that management's directives

are carried out. In assessing the adequacy of internal control activities, a reviewer should

consider whether the proper control activities have been established, whether they are sufficient

in number, and the degree to which those activities are operating effectively. This should be done

for each significant activity. This analysis and evaluation should also include controls over

computerized information systems. A manager or evaluator should consider not only whether

established control activities are relevant to the risk-assessment process, but also whether they

are being applied properly.

The control activities put into place in a given agency may vary considerably from those used in

a different agency. This difference may occur because of the (1) variations in missions, goals,

and objectives of the agencies; (2) differences in their environment and manner in which they

operate; (3) variations in degree of organizational complexity; (4) differences in agency histories

and culture; and (5) differences in the risks that the agencies face and are trying to mitigate. It is

probable that, even if two agencies did have the same missions, goals, objectives, and

organizational structures, they would employ different control activities. This is due to

individual judgment, implementation, and management. All of these factors affect an agency’s

internal control activities, which should be designed accordingly to contribute to the achievement

of the agency’s missions, goals, and objectives.

Given the wide variety of control activities that agencies may employ, it would be impossible for

this tool to address them all. However, there are some general, overall points to be considered by

managers and evaluators, as well as several major categories or types of control activity factors

that are applicable at various levels throughout practically all federal agencies. In addition, there

are some control activity factors specifically designed for information systems. These factors

and related points and subsidiary points are listed below as examples of issues to be considered.

They are meant to illustrate the range and variety of control activities that are typically used.

The list is a beginning point. It is not all-inclusive, and not every point or subsidiary point may

apply to every agency or activity within the agency. Even though some of the functions and

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 34

points may be subjective in nature and require the use of judgment, they are important in

assessing the appropriateness of the agency’s internal control activities.

General Application Comments/Descriptions

1. Appropriate policies, procedures, techniques, and

mechanisms exist with respect to each of the agency’s

activities. Consider the following:

• All relevant objectives and associated risks for each

significant activity have been identified in

conjunction with conducting the risk assessment and

analysis function.

• Management has identified the actions and control

activities needed to address the risks and directed

their implementation.

2. The control activities identified as necessary are in

place and being applied. Consider the following:

• Control activities described in policy and procedures

manuals are actually applied and applied properly.

• Supervisors and employees understand the purpose of

internal control activities.

• Supervisory personnel review the functioning of

established control activities and remain alert for

instances in which excessive control activities should

be streamlined.

• Timely action is take on exceptions, implementation

problems, or information that requires follow-up.

3. Control activities are regularly evaluated to ensure

that they are still appropriate and working as

intended.

This point is closely related to the functions, points, and subsidiary points included in the “Monitoring”

section. See that section for more specific information on monitoring and periodic evaluation of control

activities.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 35

Common Categories of Control Activities Comments/Descriptions

1. Top-Level Reviews – Management tracks major

agency achievements in relation to its plans. Consider

the following:

• Top-level management regularly reviews actual

performance against budgets, forecasts, and prior

period results.

• Top management is involved in developing 5-year

and annual performance plans and targets in

accordance with GPRA and measuring and reporting

results against those plans and targets.

• Major agency initiatives are tracked for target

achievement and follow-up actions are taken.

2. Management Reviews at the Functional or Activity

Level – Agency managers review actual performance

against targets. Consider the following:

• Managers at all activity levels review performance

reports, analyze trends, and measure results against

targets.

• Both financial and program managers review and

compare financial, budgetary, and operational

performance to planned or expected results.

• Appropriate control activities are employed, such as

reconciliations of summary information to supporting

detail and checking the accuracy of summarizations

of operations.

3. Management of Human Capital – The agency

effectively manages the organization’s workforce to

achieve results. Consider the following:

• A clear and coherent shared vision of agency mission,

goals, values, and strategies is explicitly identified in

the strategic plan, annual performance plan, and other

guiding documents, and that view has been clearly

and consistently communicated to all employees.

For more detailed information about items to consider, see GAO publication

Human Capital: A Self-

Assessment Checklist for Agency Leaders

(GAO/OGC-00-14G, September 2000, Version 1).

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 36

Common Categories of Control Activities Comments/Descriptions

• The agency has a coherent overall human capital

strategy, as evidenced in its strategic plan,

performance plan, or separate human capital planning

document; and that strategy encompasses human

capital policies, programs, and practices to guide the

agency.

• The agency has a specific and explicit workforce

planning strategy, linked to the overall strategic plan,

and that allows for identification of current and future

human capital needs.

• The agency has defined the type of leaders it wants

through written descriptions of roles, responsibilities,

attributes, and competencies and has established

broad performance expectations for them.

• Senior leaders and managers attempt to build

teamwork, reinforce the shared vision of the agency,

and encourage feedback from employees, as

evidenced by actions taken to communicate this to all

employees and the existence of opportunities for

management to obtain feedback.

• The agency’s performance management system is

given a high priority by top-level officials, and it is

designed to guide the workforce to achieve the

agency’s shared vision/mission.

• Procedures are in place to ensure that personnel with

appropriate competencies are recruited and retained

for the work of the agency, including a formal

recruiting and hiring plan with explicit links to skill

needs the agency has identified.

• Employees are provided orientation, training, and

tools to perform their duties and responsibilities,

improve performance, enhance their capabilities, and

meet the demands of changing organizational needs.

• The compensation system is adequate to acquire,

motivate, and retain personnel, and incentives and

rewards are provided to encourage personnel to

perform at maximum capability.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 37

Common Categories of Control Activities Comments/Descriptions

• The agency provides workplace flexibilities, services,

and facilities (e.g., career counseling, flextime,

casual-dress days, and childcare) to help it compete

for talent and enhance employee satisfaction and

commitment.

• Qualified and continuous supervision is provided to

ensure that internal control objectives are being met.

• Meaningful, honest, constructive performance

evaluation and feedback are provided to help

employees understand the connection between their

performance and the achievement of the agency’s

goals.

• Management conducts succession planning to ensure

continuity of needed skills and abilities.

4. Information Processing – The agency employs a

variety of control activities suited to information

processing systems to ensure accuracy and

completeness. Consider the following:

• Edit checks are used in controlling data entry.

• Accounting for transactions is performed in numerical

sequences.

• File totals are compared with control accounts.

• Exceptions or violations indicated by other control

activities are examined and acted upon.

• Access to data, files, and programs is appropriately

controlled.

5. Physical Control Over Vulnerable Assets – The agency

employs physical control to secure and safeguard

vulnerable assets. Consider the following:

Further guidance on control activities for information processing is provided in the following section

under “Control Activities Specific for Information Systems.” In addition, see GAO’s FISCAM and OMB

Circular A-130,

Management of Federal Information Resources

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 38

Common Categories of Control Activities Comments/Descriptions

• Physical safeguarding policies and procedures have

been developed, implemented, and communicated to

all employees.

• The agency has developed a disaster recovery plan,

which is regularly updated and communicated to

employees.

• The agency has developed a plan for the identification

of and protection of any critical infrastructure assets.

• Assets that are particularly vulnerable to loss, theft,

damage, or unauthorized use, such as cash, securities,

supplies, inventories, and equipment, are physically

secured and access to them controlled.

• Assets such as cash, securities, supplies, inventories,

and equipment are periodically counted and

compared to control records and exceptions

examined.

• Cash and negotiable securities are maintained under

lock and key and access to them strictly controlled.

• Forms such as blank checks and purchase orders are

sequentially pre-numbered and physically secured

and access to them strictly controlled.

• Mechanical check signers and signature plates are

physically protected and access to them strictly

controlled.

• Equipment vulnerable to theft is securely fastened or

protected in some other manner.

• Identification plates and numbers are affixed to office

furniture and fixtures, equipment, and other portable

assets.

Critical infrastructure assets are those assets of physical and cyber-based systems that are essential to the

minimum operations of the economy and government. In accordance with Presidential Decision Directive

No. 63, dated May 22, 1998, each federal agency is responsible for identifying its own critical infrastructure

and developing a protection plan for it.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 39

Common Categories of Control Activities Comments/Descriptions

• Inventories, supplies, and finished items/goods are

stored in physically secured areas and protected from

damage.

• Facilities are protected from fire by fire alarms and

sprinkler systems.

• Access to premises and facilities is controlled by

fences, guards, and/or other physical controls.

• Access to facilities is restricted and controlled during

nonworking hours.

6. Performance Measures and Indicators – The agency

has established and monitors performance measures

and indicators. Consider the following:

• Performance measures and indicators have been

established throughout the organization at the

entitywide, activity, and individual level.

• The agency periodically reviews and validates the

propriety and integrity of both organizational and

individual performance measures and indicators.

• Performance measurement assessment factors are

evaluated to ensure they are linked to mission, goals,

and objectives, and are balanced and set appropriate

incentives for achieving goals while complying with

law, regulations, and ethical standards.

• Actual performance data are continually compared

against expected/planned goals and differences are

analyzed.

• Comparisons are made relating different sets of data

to one another so that analyses of the relationships

can be made and corrective actions can be taken if

necessary.

• Investigation of unexpected results or unusual trends

leads to identification of circumstances in which the

achievement of goals and objectives may be

threatened and corrective action is taken.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 40

Common Categories of Control Activities Comments/Descriptions

• Analysis and review of performance measures and

indicators are used for both operational and financial

reporting control purposes.

7. Segregation of Duties – Key duties and responsibilities

are divided or segregated among different people to

reduce the risk of error, waste, or fraud. Consider the

following:

• No one individual is allowed to control all key

aspects of a transaction or event.

• Responsibilities and duties involving transactions and

events are separated among different employees with

respect to authorization, approval, processing and

recording, making payments or receiving funds,

review and auditing, and the custodial functions and

handling of related assets.

• Duties are assigned systematically to a number of

individuals to ensure that effective checks and

balances exist.

• Where feasible, no one individual is allowed to work

alone with cash, negotiable securities, or other highly

venerable assets.

• The responsibility for opening mail is assigned to

individuals who have no responsibilities for or access

to files or documents pertaining to accounts

receivable or cash accounts.

• Bank accounts are reconciled by employees who have

no responsibilities for cash receipts, disbursements, or

custody.

• Management is aware that collusion can reduce or

destroy the control effectiveness of segregation of

duties and, therefore, is especially alert for it and

attempts to reduce the opportunities for it to occur.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 41

Common Categories of Control Activities Comments/Descriptions

8. Execution of Transactions and Events – Transactions

and other significant events are authorized and

performed by the appropriate personnel. Consider the

following:

• Controls ensure that only valid transactions and other

events are initiated or entered into, in accordance with

management’s decisions and directives.

• Controls are established to ensure that all transactions

and other significant events that are entered into are

authorized and executed only by employees acting

within the scope of their authority.

• Authorizations are clearly communicated to managers

and employees and include the specific conditions

and terms under which authorizations are to be made.

• The terms of authorizations are in accordance with

directives and within limitations established by law,

regulation, and management.

9. Recording of Transactions and Events – Transactions

and other significant events are properly classified and

promptly recorded. Consider the following:

• Transactions and events are appropriately classified

and promptly recorded so that they maintain their

relevance, value, and usefulness to management in

controlling operations and making decisions.

• Proper classification and recording take place

throughout the entire life cycle of each transaction or

event, including authorization, initiation, processing,

and final classification in summary records.

• Proper classification of transactions and events

includes appropriate organization and format of

information on original documents (hardcopy paper

or electronic) and summary records from which

reports and statements are prepared.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 42

Common Categories of Control Activities Comments/Descriptions

• Excessive adjustments to numbers or account

classifications are not necessary prior to finalization

of financial reports.

10. Access Restrictions to and Accountability for

Resources and Records – Access to resources and

records is limited and accountability for their custody

is assigned. Consider the following:

• The risk of unauthorized use or loss is controlled by

restricting access to resources and records only to

authorized personnel.

• Accountability for resources and records custody and

use is assigned to specific individuals.

• Access restrictions and accountability assignments for

custody are periodically reviewed and maintained.

• Periodic comparison of resources with the recorded

accountability is made to determine if the two agree,

and differences are examined.

• How frequently actual resources are compared to

records and the degree of access restrictions are

functions of the vulnerability of the resource to the

risk of errors, fraud, waste, misuse, theft, or

unauthorized alteration.

• Management considers such factors as asset value,

portability, and exchangeability when determining the

appropriate degree of access restrictions.

• As a part of assigning and maintaining accountability

for resources and records, management informs and

communicates those responsibilities to specific

individuals within the agency and assures that those

people are aware of their duties for appropriate

custody and use of those resources.

11. Documentation – Internal Control and all transactions

and other significant events are clearly documented.

Consider the following:

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 43

Common Categories of Control Activities Comments/Descriptions

• Written documentation exists covering the agency’s

internal control structure and for all significant

transactions and events.

• The documentation is readily available for

examination.

• The documentation for internal control includes

identification of the agency’s activity-level functions

and related objectives and control activities and

appears in management directives, administrative

policies, accounting manuals, and other such

manuals.

• Documentation for internal control includes

documentation describing and covering automated

information systems, data collection and handling,

and the specifics of general and application control

related to such systems.

• Documentation of transactions and other significant

events is complete and accurate and facilitates tracing

the transaction or event and related information from

authorization and initiation, through its processing, to

after it is completed.

• Documentation, whether in paper or electronic form,

is useful to managers in controlling their operations

and to any others involved in evaluating or analyzing

operations.

• All documentation and records are properly managed,

maintained, and periodically updated.

Additional guidance on documentation of control activities for information processing is provided in the

following section under “Control Activities Specific for Information Systems.” In addition, see GAO’s

FISCAM and OMB Circular A-130,

Management of Federal Information Resources

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 44

Control Activities Specific for Information Systems – General Control

As stated in the introduction to the Control Activities Section, there are some control activity

factors specifically designed for information systems. As discussed in the standard, there are two

broad groupings of information systems control – general control and application control.

General control includes the structure, policies, and procedures that apply to the agency’s overall

computer operations. It applies to all information systems – mainframe, minicomputer, network,

and end-user environments. General control creates the environment in which the agency’s

application systems operate. General control activities are presented first followed by

application control activities.

There are six major factors or categories of control activities that need to be considered by the

user when evaluating general control: entitywide security management program, access control,

application software development and change, system software control, segregation of duties,

and service continuity. The factors and related points and some subsidiary points are listed

below as examples of issues to be considered. They are meant to illustrate the range and variety

of general control activities that are typically used. They are not all-inclusive. Users should

refer to the list of critical elements and control activities pertaining to general control provided in

GAO’s Federal Information System Controls Audit Manual (FISCAM) (GAO/AIMD-12.19.6,

January 1999). The list below summarizes the FISCAM’s list; however, users should refer to the

FISCAM for more detailed guidance in performing their evaluation and analysis.

Entitywide Security Management Program Comments/Descriptions

1. The agency periodically performs a comprehensive,

high-level assessment of risks to its information

systems. Consider the following:

• Risk assessments are performed and documented

regularly and whenever systems, facilities, or other

conditions change.

• Risk assessments consider data sensitivity and

integrity.

• Final risk determinations and managerial approvals

are documented and kept on file.

2. The agency has developed a plan that clearly describes

the entitywide security program and policies and

procedures that support it.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 45

Entitywide Security Management Program Comments/Descriptions

3. Senior management has established a structure to

implement and manage the security program

throughout the agency, and security responsibilities

are clearly defined.

4. The agency has implemented effective security-related

personnel policies.

5. The agency monitors the security program’s

effectiveness and makes changes as needed. Consider

the following:

• Management periodically assesses the

appropriateness of security policies and compliance

with them.

• Corrective actions are promptly and effectively

implemented and tested, and they are continually

monitored.

Access Control Comments/Descriptions

1. The agency classifies information resources according

to their criticality and sensitivity. Consider the

following:

• Resource classifications and related criteria have been

established and communicated to resource owners.

• Resource owners have classified their information

resources based on the approved criteria and with

regard to risk determinations and assessments and

have documented those classifications.

2. Resource owners have identified authorized users, and

their access to the information has been formally

authorized.

3. The agency has established physical and logical

controls to prevent or detect unauthorized access.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 46

Access Control Comments/Descriptions

4. The agency monitors information systems access,

investigates apparent violations, and takes appropriate

remedial and disciplinary action.

Application Software Development and Change

Control

Comments/Descriptions

1. Information system processing features and program

modifications are properly authorized.

2. All new or revised software is thoroughly tested and

approved.

3. The agency has established procedures to ensure

control of its software libraries, including labeling,

access restrictions, and use of inventories and separate

libraries.

System Software Control Comments/Descriptions

1. The agency limits access to system software based on

job responsibilities, and access authorization is

documented.

2. Access to and use of system software are controlled

and monitored.

3. The agency controls changes made to the system

software.

Segregation of Duties Comments/Descriptions

1. Incompatible duties have been identified and policies

implemented to segregate those duties.

2. Access controls have been established to enforce

segregation of duties.

3. The agency exercises control over personnel activities

through the use of formal operating procedures,

supervision, and review.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 47

Service Continuity Comments/Descriptions

1. The criticality and sensitivity of computerized

operations have been assessed and prioritized, and

supporting resources have been identified.

2. The agency has taken steps to prevent and minimize

potential damage and interruption through the use of

data and program backup procedures including off-

site storage of backup data as well as environmental

controls, staff training, and hardware maintenance

and management.

3. Management has developed and documented a

comprehensive contingency plan.

4. The agency periodically tests the contingency plan and

adjusts it as appropriate.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 48

Control Activities Specific for Information Systems – Application Control

Application control covers the structure, policies, and procedures designed to help ensure

completeness, accuracy, authorization, and validity of all transactions during application

processing. It includes both the routines contained within the computer program code as well as

the policies and procedures associated with user activities, such as manual measures performed

by the user to determine that the data were processed accurately by the computer.

There are four major factors or categories of control activities that need to be considered by the

user when evaluating application control: authorization control, completeness control, accuracy

control, and control over integrity of processing and data files. The factors and related points

and some subsidiary points are listed below as examples of issues to be considered. They are

meant to illustrate the range and variety of application control activities that are typically used.

They are not all-inclusive. In the future, application control evaluation and testing will be

addressed in Chapter 4 of GAO’s Federal Information System Controls Audit Manual (FISCAM)

(GAO/AIMD-12.19.6, January 1999). That chapter is currently under development and is

expected to be issued with the first update of the FISCAM. However, the list of factors, points,

and subsidiary points provided below generally follows the guidance expected to be issued in the

FISCAM. Users should refer to Chapter 4 of the FISCAM, when issued, for more detailed

guidance in performing their evaluation and analysis.

Authorization Control Comments/Descriptions

1. Source documents are controlled and require

authorization. Consider the following:

• Access to blank source documents is restricted.

• Source documents are pre-numbered sequentially.

• Key source documents require authorizing signatures.

• For batch application systems, batch control sheets

are used providing information such as date, control

number, number of documents, and control totals for

key fields.

• Supervisory or independent review of data occurs

before it is entered into the application system.

2. Data entry terminals have restricted access.

3. Master files and exception reporting are used to ensure

that all data processed are authorized.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 49

Completeness Control Comments/Descriptions

1. All authorized transactions are entered into and

processed by the computer.

2. Reconciliations are performed to verify data

completeness.

Accuracy Control Comments/Descriptions

1. The agency’s data entry design features contribute to

data accuracy.

2. Data validation and editing are performed to identify

erroneous data.

3. Erroneous data are captured, reported, investigated,

and promptly corrected.

4. Output reports are reviewed to help maintain data

accuracy and validity.

Control Over Integrity of

Processing and Data Files

Comments/Descriptions

1. Procedures ensure that the current version of

production programs and data files are used during

processing.

2. Programs include routines to verify that the proper

version of the computer file is used during processing.

3. Programs include routines for checking internal file

header labels before processing.

4. The application protects against concurrent file

updates.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 50

Control Activities Summary Section

Provide General Conclusions and Actions Needed Here:

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 51

INFORMATION AND COMMUNICATIONS

According to the fourth internal control standard, for an agency to run and control its operations,

it must have relevant, reliable information, both financial and nonfinancial, relating to external as

well as internal events. That information should be recorded and communicated to management

and others within the agency who need it and in a form and within a time frame that enables

them to carry out their internal control and operational responsibilities. In addition, the agency

needs to make sure that the forms of communications are broad-based and that information

technology management assures useful, reliable, and continuous communications. Managers and

evaluators should consider the appropriateness of information and communication systems to the

entity's needs and the degree to which they accomplish the objectives of internal control. Listed

below are factors a user might consider. The list is a beginning point. It is not all-inclusive nor

will every item apply to every agency or activity within the agency. Even though some of the

functions and points may be subjective in nature and require the use of judgment, they are

important in collecting appropriate data and information and in establishing and maintaining

good communications.

Information Comments/Descriptions

1. Information from internal and external sources is

obtained and provided to management as a part of the

agency’s reporting on operational performance

relative to established objectives. Consider the

following:

• Internally generated information critical to achieving

the agency’s objectives, including information

relative to critical success factors, is identified and

regularly reported to management.

• The agency obtains and reports to managers any

relevant external information that may affect the

achievement of its missions, goals, and objectives,

particularly that related to legislative or regulatory

developments and political or economic changes.

• Internal and external information needed by managers

at all levels is reported to them.

2. Pertinent information is identified, captured, and

distributed to the right people in sufficient detail, in

the right form, and at the appropriate time to enable

them to carry out their duties and responsibilities

efficiently and effectively. Consider the following:

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 52

Information Comments/Descriptions

• Managers receive analytical information that helps

them identify specific actions that need to be taken.

• Information is provided at the right level of detail for

different levels of management.

• Information is summarized and presented

appropriately and provides pertinent information

while permitting a closer inspection of details as

needed.

• Information is available on a timely basis to allow

effective monitoring of events, activities, and

transactions and to allow prompt reaction.

• Program managers receive both operational and

financial information to help them determine whether

they are meeting the strategic and annual performance

plans and meeting the agency’s goals for

accountability of resources.

• Operational information is provided to managers so

that they may determine whether their programs

comply with applicable laws and regulations.

• The appropriate financial and budgetary information

is provided for both internal and external financial

reporting.

Communications Comments/Descriptions

1. Management ensures that effective internal

communications occur. Consider the following:

• Top management provides a clear message

throughout the agency that internal control

responsibilities are important and must be taken

seriously.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 53

Communications Comments/Descriptions

• Employees’ specific duties are clearly communicated

to them and they understand the relevant aspects of

internal control, how their role fits into it, and how

their work relates to the work of others.

• Employees are informed that when the unexpected

occurs in performing their duties, attention must be

given not only to the event, but also to the underlying

cause, so that potential internal control weaknesses

can be identified and corrected before they can do

further harm to the agency.

• Acceptable behavior versus unacceptable behavior

and the consequences of improper conduct are clearly

communicated to all employees.

• Personnel have a means of communicating

information upstream within the agency through

someone other than a direct supervisor, and there is a

genuine willingness to listen on the part of

management.

• Mechanisms exist to allow the easy flow of

information down, across, and up the organization,

and easy communications exist between functional

activities, such as between procurement activities and

production activities.

• Employees indicate that informal or separate lines of

communications exist, which serve as a “fail-safe”

control for normal communications avenues.

• Personnel understand that there will be no reprisals

for reporting adverse information, improper conduct,

or circumvention of internal control activities.

• Mechanisms are in place for employees to

recommend improvements in operations, and

management acknowledges good employee

suggestions with cash awards or other meaningful

recognition.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 54

Communications Comments/Descriptions

• Management communicates frequently with internal

oversight groups, such as senior management

councils, and keeps them informed of performance,

risks, major initiatives, and any other significant

events.

2. Management ensures that effective external

communications occur with groups that can have a

serious impact on programs, projects, operations, and

other activities, including budgeting and financing.

Consider the following:

• Open and effective communications channels have

been established with customers, suppliers,

contractors, consultants, and other groups that can

provide significant input on quality and design of

agency products and services.

• All outside parties dealing with the agency are clearly

informed of the agency’s ethical standards and also

understand that improper actions, such as improper

billings, kickbacks, or other improper payments, will

not be tolerated.

• Communications from external parties, such as other

federal agencies, state and local governments, and

other related third parties, is encouraged since it can

be a source of information on how well internal

control is functioning.

• The agency has methods to ensure compliance with

the Federal Advisory Committee Act of 1972 since

such committees may include individuals external to

the agency with whom communications could occur.

• Complaints or inquires, especially those concerning

services, such as shipments, receipts, and billings, are

welcomed since they can point out control problems.

• Management makes certain that the advice and

recommendations of Inspectors General and other

auditors and evaluators are fully considered and that

actions are implemented to correct any problems or

weaknesses they identify.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 55

Communications Comments/Descriptions

• Communications with Congress, OMB, Treasury,

other federal agencies, state and local governments,

the media, the public, and others provide information

relevant to the requesters’ needs so that they can

better understand the agency’s mission, goals, and

objectives, better understand the risks facing the

agency, and thus better understand the agency.

Forms and Means of Communications Comments/Descriptions

1. The agency employs many and various forms and

means of communicating important information with

employees and others. Consider the following:

• Management uses effective communications methods,

which may include policy and procedures manuals,

management directives, memoranda, bulletin board

notices, internet and intranet web pages, videotaped

messages, e-mail, and speeches.

• Two of the most powerful forms of communications

used by management are the positive actions it takes

in dealing with personnel throughout the organization

and its demonstrated support of internal control.

2. The agency manages, develops, and revises its

information systems in an effort to continually

improve the usefulness and reliability of its

communication of information. Consider the

following:

• Information systems management is based on a

strategic plan for information systems that is linked to

the agency’s overall strategic plan.

• A mechanism exists for identifying emerging

information needs.

• As part of the agency’s information management,

improvements and advances in technology are

monitored, analyzed, evaluated, and introduced to

help the agency respond more rapidly and efficiently

to those it serves.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 56

Forms and Means of Communications Comments/Descriptions

• Management continually monitors the quality of the

information captured, maintained, and communicated

as measured by such factors as appropriateness of

content, timeliness, accuracy, and accessibility.

• Management’s support for the development of

information technology is demonstrated by its

commitment of appropriate human and financial

resources to the effort.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 57

Information and Communications Summary Section

Provide General Conclusions and Actions Needed Here:

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 58

(BLANK)

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 59

MONITORING

Monitoring is the final internal control standard. Internal control monitoring should assess the

quality of performance over time and ensure that the findings of audits and other reviews are

promptly resolved. In considering the extent to which the continued effectiveness of internal

control is monitored, both ongoing monitoring activities and separate evaluations of the internal

control system, or portions thereof, should be considered. Ongoing monitoring occurs during

normal operations and includes regular management and supervisory activities, comparisons,

reconciliations, and other actions people take in performing their duties. It includes ensuring that

managers and supervisors know their responsibilities for internal control and the need to make

control and control monitoring part of their regular operating processes. Separate evaluations are

a way to take a fresh look at internal control by focusing directly on the controls’ effectiveness at

a specific time. These evaluations may take the form of self-assessments as well as review of

control design and direct testing, and may include the use of this Management and Evaluation

Tool or some similar device. In addition, monitoring includes policies and procedures for

ensuring that any audit and review findings and recommendations are brought to the attention of

management and are resolved promptly. Managers and evaluators should consider the

appropriateness of the agency’s internal control monitoring and the degree to which it helps them

accomplish their objectives. Listed below are factors a user might consider. The list is a

beginning point. It is not all-inclusive, and every item might not apply to every agency or

activity within the agency. Even though some of the functions and points may be subjective in

nature and require the use of judgment, they are important in establishing and maintaining good

internal control monitoring policies and procedures.

Ongoing Monitoring Comments/Descriptions

1. Management has a strategy to ensure that ongoing

monitoring is effective and will trigger separate

evaluations where problems are identified or systems

are critical and testing is periodically desirable.

Consider the following:

• Management’s strategy provides for routine feedback

and monitoring of performance and control

objectives.

• The monitoring strategy includes methods to

emphasize to program and operational mangers that

they have responsibility for internal control and that

they should monitor the effectiveness of control

activities as a part of their regular duties.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 60

Ongoing Monitoring Comments/Descriptions

• The monitoring strategy includes methods to

emphasize to program mangers their responsibility

for internal control and their duties to regularly

monitor the effectiveness of control activities.

• The monitoring strategy includes identification of

critical operational and mission support systems that

need special review and evaluation.

• The strategy includes a plan for periodic evaluation of

control activities for critical operational and mission

support systems.

2. In the process of carrying out their regular activities,

agency personnel obtain information about whether

internal control is functioning properly. Consider the

following:

• Operating reports are integrated or reconciled with

financial and budgetary reporting system data and

used to manage operations on an ongoing basis, and

management is aware of inaccuracies or exceptions

that could indicate internal control problems.

• Operating management compares production, sales,

or other operating information obtained in the course

of its daily activities to system-generated information

and follows up on any inaccuracies or other problems

that might be found.

• Operating personnel are required to “sign-off” on the

accuracy of their unit’s financial statements and are

held accountable if errors are discovered.

3. Communications from external parties should

corroborate internally generated data or indicate

problems with internal control. Consider the

following:

• Management recognizes that customers paying for

invoices help to corroborate billing data, while

customer complaints indicate that deficiencies may

exist; and these deficiencies are then investigated to

determine the underlying causes.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 61

Ongoing Monitoring Comments/Descriptions

• Communications from vendors and monthly

statements of accounts payable are used as control

monitoring techniques.

• Supplier complaints about any unfair practices by

agency purchasing agents are investigated.

• Congress and oversight groups communicate

information to the agency about compliance or other

matters that reflect on the functioning of internal

control, and management follows up on any problems

indicated.

• Control activities that should have prevented or

detected any problems that arose, but did not function

properly, are reassessed.

4. Appropriate organizational structure and supervision

help provide oversight of internal control functions.

Consider the following:

• Automated edits and checks as well as clerical

activities are used to help control accuracy and

completeness of transaction processing.

• Separation of duties and responsibilities is used to

help deter fraud.

• The Inspector General is independent and has

authority to report directly to the agency head and

does not conduct agency operations for management.

5. Data recorded by information and financial systems

are periodically compared with physical assets and

discrepancies are examined. Consider the following:

• Inventory levels of materials, supplies, and other

assets are checked regularly; differences between

recorded and actual amounts are corrected; and the

reasons for the discrepancies resolved.

• The frequency of the comparison is a function of the

vulnerability of the asset.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 62

Ongoing Monitoring Comments/Descriptions

• Custodial accountability for assets and resources is

assigned to responsible individuals.

6. The Inspector General and other auditors and

evaluators regularly provide recommendations for

improvements in internal control with management

taking appropriate follow-up action.

7. Meetings with employees are used to provide

management with feedback on whether internal

control is effective. Consider the following:

• Relevant issues, information, and feedback

concerning internal control raised at training

seminars, planning sessions, and other meetings are

captured and used by management to address

problems or strengthen the internal control structure.

• Employee suggestions on internal control are

considered and acted upon as appropriate.

• Management encourages employees to identify

internal control weaknesses and report them to the

next supervisory level.

8. Employees are regularly asked to state explicitly

whether they comply with the agency’s code of conduct

or similar agency pronouncements of expected

employee behavior. Consider the following:

• Personnel periodically acknowledge compliance with

the code of conduct.

• Signatures are required to evidence performance of

critical internal control functions, such as

reconciliations.

Separate Evaluations Comments/Descriptions

1. The scope and frequency of separate evaluations of

internal control are appropriate for the agency.

Consider the following:

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 63

Separate Evaluations Comments/Descriptions

• Consideration is given to the risk assessment results

and the effectiveness of ongoing monitoring when

determining the scope and frequency of separate

evaluations.

• Separate evaluations are often prompted by events

such as major changes in management plans or

strategies, major expansion or downsizing of the

agency, or significant changes in operations or

processing of financial or budgetary information.

• Appropriate portions or sections of internal control

are evaluated regularly.

• Separate evaluations are conducted by personnel with

the required skills that may include the agency’s

Inspector General or an external auditor.

2. The methodology for evaluating the agency’s internal

control is logical and appropriate. Consider the

following:

• The methodology used may include self-assessments

using checklists, questionnaires, or other such tools,

and it may include the use of this Management and

Evaluation Tool or some similar device.

• The separate evaluations may include a review of the

control design and direct testing of the internal

control activities.

• In agencies where large amounts of data are

processed by the information and/or financial

systems, separate evaluation methodology employs

computer assisted audit techniques to identify

indicators of inefficiencies, waste, or abuse.

• The evaluation team develops a plan for the

evaluation process to ensure a coordinated effort.

• If the evaluation process is conducted by agency

employees, it is managed by an executive with the

requisite authority, capability, and experience.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 64

Separate Evaluations Comments/Descriptions

• The evaluation team gains a sufficient understanding

of the agency’s missions, goals, and objectives and its

operations and activities.

• The evaluation team gains an understanding of how

the agency’s internal control is supposed to work and

how it actually does work.

• The evaluation team analyzes the results of the

evaluation against established criteria.

• The evaluation process is properly documented.

3. If the separate evaluations are conducted by the

agency’s Inspector General, that office has sufficient

resources, ability, and independence. Consider the

following:

• The Inspector General has sufficient levels of

competent and experienced staff.

• The Inspector General is organizationally

independent and reports to the highest levels within

the agency.

• The responsibilities, scope of work, and audit plans of

the Inspector General are appropriate to the agency’s

needs.

4. Deficiencies found during separate evaluations are

promptly resolved. Consider the following:

• Deficiencies are promptly communicated to the

individual responsible for the function and also to at

least one level of management above that individual.

• Serious deficiencies and internal control problems are

promptly reported to top management.

This particular point and the related subsidiary points are not expected to be assessed by agency

management or the agency Inspector General. However, their consideration may be useful in outside

reviews or peer reviews.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 65

Audit Resolution

Comments/Descriptions

1. The agency has a mechanism to ensure the prompt

resolution of findings from audits and other reviews.

Consider the following:

• Managers promptly review and evaluate findings

resulting from audits, FMFIA and FFMIA

assessments, and other reviews, including those

showing deficiencies and those identifying

opportunities for improvements.

• Management determines the proper actions to take in

response to findings and recommendations.

• Corrective action is taken or improvements made

within established time frames to resolve the matters

brought to management’s attention.

• In cases where there is disagreement with the findings

or recommendations, management demonstrates that

those findings or recommendations are either invalid

or do not warrant action.

• Management considers consultations with auditors

(such as GAO, the Inspector General, and other

external auditors), and reviewers when they are

believed to be helpful in the audit resolution process.

2. Agency management is responsive to the findings and

recommendations of audits and other reviews aimed at

strengthening internal control. Consider the

following:

• Executives with the proper authority evaluate the

findings and recommendations and decide upon the

appropriate actions to take to correct or improve

control.

• Desired internal control actions are followed up on to

verify implementation.

Audit Resolution includes the resolution of findings and recommendations not just from formal audits,

but also resulting from informal reviews, internal separate evaluations, management studies, and

assessments made pursuant to the requirements of the Federal Managers’ Financial Integrity Act (FMFIA)

of 1982 and the Federal Financial Management Improvement Act (FFMIA) of 1996.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 66

Audit Resolution Comments/Descriptions

3. The agency takes appropriate follow-up actions with

regard to findings and recommendations of audits and

other reviews. Consider the following:

• Problems with particular transactions or events are

corrected promptly.

• The underlying causes giving rise to the findings or

recommendations are investigated by management.

• Actions are decided upon to correct the situation or

take advantage of the opportunity for improvements.

• Management and auditors follow up on audit and

review findings, recommendations, and the actions

decided upon to ensure that those actions are taken.

• Top management is kept informed through periodic

reports on the status of audit and review resolution so

that it can ensure the quality and timeliness of

individual resolution decisions.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 67

Monitoring Summary Section

Provide General Conclusions and Actions Needed Here:

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 68

(BLANK)

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 69

OVERALL INTERNAL CONTROL SUMMARY

Control Environment

Assessment/Conclusions

Management and employees have a positive and

supportive attitude toward internal control and

conscientious management. Management conveys the

message that integrity and ethical values must not be

compromised. The agency demonstrates a commitment to

the competence of its personnel and employs good human

capital policies and practices. Management has a

philosophy and operating style that is appropriate to the

development and maintenance of effective internal control.

The agency’s organizational structure and the way in

which it assigns authority and responsibility contribute to

effective internal control. The agency has a good working

relationship with Congress and oversight groups.

Risk Assessment

The agency has established clear and consistent entitywide

objectives and supporting activity-level objectives.

Management has made a thorough identification of risks,

from both internal and external sources, that may affect

the ability of the agency to meet those objectives. An

analysis of those risks has been performed, and the agency

has developed an appropriate approach for risk

management. In addition, mechanisms are in place to

identify changes that may affect the agency’s ability to

achieve its missions, goals, and objectives.

Control Activities

Appropriate policies, procedures, techniques, and control

mechanisms have been developed and are in place to

ensure adherence to established directives. Proper control

activities have been developed for each of the agency’s

activities. The control activities identified as necessary are

actually being applied properly.

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 70

Information and Communications Assessment/Conclusions

Information systems are in place to identify and record

pertinent operational and financial information relating to

internal and external events. That information is

communicated to management and others within the

agency who need it and in a form that enables them to

carry out their duties and responsibilities efficiently and

effectively. Management ensures that effective internal

communications take place. It also ensures that effective

external communications occur with groups that can

affect the achievement of the agency’s missions, goals, and

objectives. The agency employs various forms of

communications appropriate to its needs and manages,

develops, and revises its information systems in a

continual effort to improve communications.

Monitoring

Agency internal control monitoring assesses the quality of

performance over time. It does this by putting procedures

in place to monitor internal control on an ongoing basis as

a part of the process of carrying out its regular activities.

It includes ensuring that managers know their

responsibilities for internal control and control

monitoring. In addition, separate evaluations of internal

control are periodically performed and the deficiencies

found are investigated. Procedures are in place to ensure

that the findings of all audits and other reviews are

promptly evaluated, decisions are made about the

appropriate response, and actions are taken to correct or

otherwise resolve the issues promptly.

(193010)

GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01)Page 71