This is the accessible text file for GAO report number GAO-01-1008G 
entitled 'Internal Control Management and Evaluation Tool' which was 
released on August 1, 2001. 

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States General Accounting Office: 
GAO: 

Internal Control Standards: 

August 2001: 

Internal Control Management and Evaluation Tool: 

GAO-01-1008G: 

Preface: 

August 2001: 

The General Accounting Office (GAO) issues standards for internal 
control in the federal government as required by 31 U.S.C. 3512(c), 
commonly referred to as the Federal Managers' Financial Integrity Act 
of 1982. GAO first issued the standards in 1983. They became widely 
known throughout the government as the "Green Book." Since then, 
changes in information technology, emerging issues involving human 
capital management, and requirements of recent financial management-
related legislation have prompted renewed focus on internal control.
Consequently, GAO revised the standards and reissued them as Standards 
for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1, 
November 1999). These standards provide the overall framework for 
establishing and maintaining internal control and for identifying and 
addressing major performance challenges and areas at greatest risk for 
fraud, waste, abuse, and mismanagement. 

We are issuing this Management and Evaluation Tool, which is based 
upon GAO's Standards for Internal Control in the Federal Government, 
to assist agencies in maintaining or implementing effective internal 
control and, when needed, to help determine what, where, and how 
improvements can be implemented. Although this tool is not required to 
be used, it is intended to provide a systematic, organized, and 
structured approach to assessing the internal control structure. It is 
one in a series of related documents we have issued to assist agencies 
in improving or maintaining effective operations. (See the last page 
of this document for a list of related products.) 

This tool, GAO's standards for internal control, and the Office of 
Management and Budget Circular A-123, Management Accountability and 
Control (Revised June 21, 1995), should be used concurrently. Judgment 
must be applied in the interpretation and application of this tool to 
enable a user to consider the impact of the completed document on the 
entire internal control structure. 

To facilitate its use, this tool is located on the Internet on GAO's 
home page (www.gao.gov) under the heading "Other Publications" and the 
subheading "Accounting and Financial Management." Additional copies 
can be obtained from the U.S. General Accounting Office, Room 1100, 
700 4th Street, NW, Washington, DC 20548, or by calling (202) 512-
6000, or TDD (202) 512-2537. 

Signed by: 

Jeffrey C. Steinhoff: 
Managing Director: 
Financial Management and Assurance: 

[End of Preface] 

Contents: 

Introduction: 

Control Environment: 

Risk Assessment: 

Control Activities: 

Information and Communications: 

Monitoring: 

Overall Internal Control Summary: 

Related Products: 

Abbreviations: 

CFO: Chief Financial Officer: 

COSO: Committee of Sponsoring Organizations of the Treadway Commission: 

FAM: Financial Audit Manual: 

FFMIA: Federal Financial Management Improvement Act of 1996: 

FISCAM: Federal Information System Controls Audit Manual: 

FMFIA: Federal Managers' Financial Integrity Act of 1982: 

GAO: General Accounting Office: 

GPRA: Government Performance and Results Act of 1993: 

OMB: Office of Management and Budget: 

OPM: Office of Personnel Management: 

[End of section] 

Introduction: 

As federal managers strive to achieve their agency's missions and 
goals and provide accountability for their operations, they need to 
continually assess and evaluate their internal control structure to 
assure that it is well designed and operated, appropriately updated to 
meet changing conditions, and provides reasonable assurance that the 
objectives of the agency are being achieved. Specifically, managers 
need to examine internal control to determine how well it is 
performing, how it may be improved, and the degree to which it helps 
identify and address major risks for fraud, waste, abuse, and 
mismanagement. 

Using This Document: 

This document is an Internal Control Management and Evaluation Tool. 
Although this tool is not required to be used, it is intended to help 
managers and evaluators determine how well an agency's internal 
control is designed and functioning and help determine what, where, 
and how improvements, when needed, may be implemented. 

This tool is based upon the guidance provided in GAO's Standards for 
Internal Control in the Federal Government (GAO/AIMD-00-21.3.1, 
November 1999). That document provides the context for the use and 
application of this tool. Consequently, users of this tool (and 
managers and staff in general) should become familiar with the 
standards provided in that document. In addition, it would be helpful 
if users who are not experienced in internal control matters have 
access to persons who have such experience. 

The tool is presented in five sections corresponding to the five 
standards for internal control: control environment, risk assessment, 
control activities, information and communications, and monitoring. 
Each section contains a list of major factors to be considered when 
reviewing internal control as it relates to the particular standard. 
These factors represent some of the more important issues addressed by 
the standard. Included under each factor are points and subsidiary 
points that users should consider when addressing the factor. The 
points and subsidiary points are intended to help users consider 
specific items that indicate the degree to which internal control is 
functioning. Users should apply informed judgment when considering the 
specific points and subsidiary points to determine (1) the 
applicability of the point to the circumstances, (2) whether the 
agency has actually been able to implement, perform, or apply the 
point, (3) any control weaknesses that may actually result, and (4) 
the extent to which the point impacts on the agency's ability to 
achieve its mission and goals. 

Space is provided beside each point and subsidiary point for the user 
to note comments or provide descriptions of the circumstances 
affecting the issue. Comments and descriptions usually will not be of 
the "yes/no" type, but will generally include information on how the 
agency does or does not address the issue. Users could also use this 
comment space to indicate whether any problems found might be major or 
minor control weaknesses. This tool is intended to help users reach a 
conclusion about the agency's internal control as it pertains to the 
particular standard. In this regard, a space is provided at the end of 
each section for the user to note the general overall assessment and 
to identify actions that might need to be taken or considered. 
Additional space is provided for an overall summary assessment at the 
end of the tool. 

It should be understood that this tool is not an authoritative part of 
the standards for internal control. Rather, it is intended as a 
supplemental guide that federal managers and evaluators may use in 
assessing the effectiveness of internal control and identifying 
important aspects of control in need of improvement. Users should keep 
in mind that this tool is a starting point and that it can and should 
be modified to fit the circumstances, conditions, and risks relevant 
to the situation of each agency. Not all of the points or subsidiary 
points need to be considered for every agency or activity, depending 
upon the type of mission being performed and the cost/benefit aspect 
of a particular control item. Users should consider the relevant 
points and subsidiary points and delete or add others as appropriate 
to their particular entity or circumstances. In addition, users should 
note that this document follows the format of the standards for 
internal control. Users may rearrange or reorganize the points and 
subsidiary points to fit their particular needs or desires. 

This Tool Can Help: 

This tool could be useful in assessing internal control as it relates 
to the achievement of the objectives in any of the three major control 
categories, i.e., effectiveness and efficiency of operations, 
reliability of financial reporting, and compliance with laws and 
regulations. It may also be useful with respect to the subset 
objective of safeguarding assets from fraud, waste, abuse, or misuse. 
In addition, the tool may be used when considering internal control as 
it relates to any of the various activities of an agency, such as 
administration, human capital management, financial management, 
acquisition and procurement, and provision of goods or services. 

Furthermore, the tool may be helpful in meeting the reporting 
requirements of 31 U.S.C. 3512(c), commonly referred to as the Federal 
Managers' Financial Integrity Act (FMFIA) of
1982. The FMFIA requires annual reporting on agency internal control. 
The act directs the head of each executive agency to provide an annual 
statement as to whether the agency's internal control complies with 
the prescribed standards. Essentially, this requires the report to 
make a declaration as to the effectiveness of the internal control. If 
the internal control does not comply with such requirements, the 
report is to identify material weaknesses and the plans and schedule 
for correcting those weaknesses. Office of Management and Budget (OMB) 
Circular A-123, Management Accountability and Control, revised June 
21, 1995, provides agencies guidance on how to satisfy the FMFIA 
reporting requirements.[Footnote 1] 

Related Resources: 

It should be further noted that this tool is not the only resource 
available for assessing internal control. It should be used in 
conjunction with other resources, such as the guidance provided in
OMB Circular A-123, Management Accountability and Control, revised 
June 21, 1995. Financial statement auditors should follow GAO's 
Financial Audit Manual (FAM) (GAO/AFMD-12.19.5A/B, December 1997), as 
amended. The FAM provides the process and methodology the auditor is 
to follow when reviewing internal control in financial audits. The 
financial auditor considers internal control primarily as it relates 
to financial reporting and compliance with laws and regulations. 
Relating to internal control, the FAM focuses on the auditor's 
identification and assessment of risk as it relates to the financial 
statement audit objectives. On the other hand, this tool discusses 
internal control from a broader, overall entity perspective based on 
the internal control standards and focusing on management's 
operational and program objectives. Although the focus of each 
document is different, they are complementary. 

This Management and Evaluation Tool was developed using many different 
sources of information and ideas. The primary source was, of course, 
GAO's Standards for Internal Control in the Federal Government. 
Additional guidance was obtained from the "Evaluation Tools" section 
of Internal Control - Integrated Framework, by the Committee of 
Sponsoring Organizations of the Treadway Commission (COSO), issued in 
September 1992. Consideration was given to the requirements of 
pertinent legislation, including the Federal Managers' Financial
Integrity Act (FMFIA) of 1982, the Chief Financial Officers Act of 
1990, the Government Performance and Results Act (GPRA) of 1993, and 
the Federal Financial Management Improvement Act (FFMIA) of 1996. 
Further guidance was developed using prior GAO publications, including 
Human Capital: A Self-Assessment Checklist for Agency Leaders
(GAO/OGC-00-14G, September 2000, Version 1) and the Federal 
Information System Controls Audit Manual (FISCAM) (GAO/AIMD-12.19.6, 
January 1999). Finally, essential material was also developed based on 
the many years of experience of GAO evaluators and analysts in
reviewing and assessing federal agency internal control. 

This publication is one in a series of documents issued by GAO to 
assist agencies in improving or maintaining effective operations. See 
the last page of this document for a list of related products. 

[End of section] 

Control Environment: 

According to the first internal control standard, which relates to 
control environment, management and employees should establish and 
maintain an environment throughout the organization that sets a 
positive and supportive attitude toward internal control and 
conscientious management. There are several key factors that affect 
the accomplishment of this goal. Managers and evaluators should 
consider each of these control environment factors when determining 
whether a positive control environment has been achieved. The factors 
that should be focused on are listed below. The list is a beginning 
point. It is not all-inclusive and not every item will apply to every 
agency or activity within the agency. Even though some of the 
functions are subjective in nature and require the use of judgment, 
they are important in achieving control environment effectiveness. 

Integrity and Ethical Values: 

1. The agency has established and uses a formal code or codes of 
conduct and other policies communicating appropriate ethical and moral 
behavioral standards and addressing acceptable operational practices 
and conflicts of interest. Consider the following: 

* The codes are comprehensive in nature and directly address issues 
such as improper payments, appropriate use of resources, conflicts of 
interest, political activities of employees, acceptance of gifts or 
donations or foreign decorations, and use of due professional care. 
[Footnote 2] 

* The codes are periodically acknowledged by signature from all 
employees. 

* Employees indicate that they know what kind of behavior is 
acceptable and unacceptable, what penalties unacceptable behavior may 
bring, and what to do if they become aware of unacceptable behavior. 

2. An ethical tone has been established at the top of the organization 
and has been communicated throughout the agency. Consider the 
following: 

* Management fosters and encourages an agency culture that emphasizes 
the importance of integrity and ethical values. This might be achieved 
through oral communications in meetings, via one-on-one discussions, 
and by example in day-to-day activities. 

* Employees indicate that peer pressure exists for appropriate moral 
and ethical behavior. 

* Management takes quick and appropriate action as soon as there are 
any signs that a problem may exist. 

3. Dealings with the public, Congress, employees, suppliers, auditors, 
and others are conducted on a high ethical plane. Consider the 
following: 

* Financial, budgetary, and operational/programmatic reports to 
Congress, OMB, Treasury, the Office of Personnel Management (OPM), and 
the public are proper and accurate (not intentionally misleading). 

* Management cooperates with auditors and other evaluators, discloses 
known problems to them, and values their comments and recommendations. 

* Underbillings by suppliers or overpayments by users or customers are 
quickly corrected. 

* The agency has a well-defined and understood process for dealing 
with employee claims and concerns in a timely and appropriate manner. 

4. Appropriate disciplinary action is taken in response to departures 
from approved policies and procedures or violations of the code of 
conduct. Consider the following: 

* Management takes action when there are violations of policies, 
procedures, or the code(s) of conduct. 

* The types of disciplinary actions that can be taken are widely 
communicated throughout the agency so that others know that if they 
behave improperly, they will face similar consequences.  

5. Management appropriately addresses intervention or overriding 
internal control. Consider the following:  

* Guidance exists concerning the circumstances and frequency with 
which intervention may be needed, and the management levels which may 
take such action.  

* Any intervention or overriding of internal control is fully 
documented as to reasons and specific actions taken.  

* Overriding of internal control by low-level management personnel is 
prohibited except in emergency situations, and upper-level management 
is immediately notified and the circumstances are documented.  

6. Management removes temptation for unethical behavior. Consider the 
following:  

* Management has a sound basis for setting realistic and achievable 
goals and does not pressure employees to meet unrealistic ones.  

* Management provides fair, nonextreme incentives (as opposed to 
unfair and unnecessary temptations) to help ensure integrity and 
adherence to ethical values.  

* Compensation and promotion are based on achievements and 
performance.  

Commitment to Competence: 

1. Management has identified and defined the tasks required to 
accomplish particular jobs and fill the various positions. Consider 
the following:  

* Management has analyzed the tasks that need to be performed for 
particular jobs and given consideration to such things as the level of 
judgment required and the extent of supervision necessary. 

* Formal job descriptions or other means of identifying and defining 
specific tasks required for job positions have been established and 
are up-to-date. 

2. The agency has performed analyses of the knowledge, skills, and 
abilities needed to perform jobs appropriately. Consider the following: 

* The knowledge, skills, and abilities needed for various jobs have 
been identified and made known to employees. 

* Evidence exists that the agency attempts to assure that employees 
selected for various positions have the requisite knowledge, skills, 
and abilities. 

3. The agency provides training and counseling in order to help 
employees maintain and improve their competence for their jobs. 
Consider the following: 

* There is an appropriate training program to meet the needs of all 
employees. 

* The agency emphasizes the need for continuing training and has a 
control mechanism to help ensure that all employees actually received 
appropriate training. 

* Supervisors have the necessary management skills and have been 
trained to provide effective job performance counseling. 

* Performance appraisals are based on an assessment of critical job 
factors and clearly identify areas in which the employee is performing 
well and areas that need improvement. 

* Employees are provided candid and constructive job performance 
counseling. 

4. Key senior-level employees have a demonstrated ability in general 
management and extensive practical experience in operating 
governmental or business entities. 

Management's Philosophy and Operating Style:  

1. Management has an appropriate attitude toward risk-taking, and 
proceeds with new ventures, missions, or operations only after 
carefully analyzing the risks involved and determining how they may be 
minimized or mitigated. 

2. Management enthusiastically endorses the use of performance-based 
management. 

3. There has not been excessive personnel turnover in key functions, 
such as operations and program  management, accounting, or internal 
audit, that would indicate a problem with the agency's emphasis on 
internal control. Consider the following: 

* There has not been excessive turnover of supervisory personnel 
related to internal control problems, and there is a strategy for 
dealing with turnover related to constraints and limitations such as 
salary caps. 

* Key personnel have not quit unexpectedly. 

* Personnel turnover has not been so great as to impair internal 
control as a result of employing many people new to their jobs and 
unfamiliar with the control activities and responsibilities. 

* There is no pattern to personnel turnover that would indicate a 
problem with the emphasis that  management places on internal control. 

4. Management has a positive and supportive attitude toward the 
functions of accounting, information management systems, personnel 
operations, monitoring, and internal and external audits and 
evaluations. Consider the following: 

* The financial accounting and budgeting operations are considered 
essential to the well-being of the organization and viewed as methods 
for exercising control over the entity's various activities. 

* Management regularly relies on accounting/financial and programmatic 
data from its systems for decision-making purposes and performance 
evaluation. 

* If the accounting operation is decentralized, unit accounting 
personnel also have reporting responsibility to the central financial 
officer(s). 

* The financial management, accounting operations, and budget 
execution operations are under the direction of the Chief Financial 
Officer (CFO) and strong synchronization and coordination exists 
between budgetary and proprietary financial accounting activities. 

* Management looks to the information management function for critical 
operating data and supports efforts to make improvements in the 
systems as technology advances. 

* Personnel operations have a high priority and senior executives 
emphasize the importance of good human capital management. 

* Management places a high degree of importance on the work of the 
Inspector General, external audits, and other evaluations and studies 
and is responsive to information developed through such products. 

5. Valuable assets and information are safeguarded from unauthorized 
access or use.[Footnote 3] 

6. There is frequent interaction between senior management and 
operating/program management, especially when operating from 
geographically dispersed locations. 

7. Management has an appropriate attitude toward financial, budgetary, 
and operational/programmatic reporting. Consider the following:  

* Management is informed and involved in critical financial reporting 
issues and supports a conservative approach toward the application of 
accounting principles and estimates.  

* Management discloses all financial, budgetary, and programmatic 
information needed to fully understand the operations and financial 
condition of the agency.  

* Management avoids focus on short-term reported results.  

* Personnel do not submit inappropriate or inaccurate reports in order 
to meet targets.  

* Facts are not exaggerated and budgetary estimates are not stretched 
to a point of unreasonableness.  

Organizational Structure: 

1. The agency's organizational structure is appropriate for its size 
and the nature of its operations. Consider the following:  

* The organizational structure facilitates the flow of information 
throughout the agency.  

* The organizational structure is appropriately centralized or 
decentralized, given the nature of its operations, and management has 
clearly articulated the considerations and factors taken into account 
in balancing the degree of centralization versus decentralization.  

2. Key areas of authority and responsibility are defined and 
communicated throughout the organization. Consider the following:  

* Executives in charge of major activities or functions are fully 
aware of their duties and responsibilities. 

* An accurate and updated organizational chart showing key areas of 
responsibility is provided to all employees. 

* Executives and key managers understand their internal control 
responsibilities and ensure that their staff also understand their own 
responsibilities. 

3. Appropriate and clear internal reporting relationships have been 
established. Consider the following: 

* Reporting relationships have been established and effectively 
provide managers information they need to carry out their 
responsibilities and perform their jobs. 

* Employees are aware of the established reporting relationships. 

* Mid-level managers can easily communicate with senior operating 
executives. 

4. Management periodically evaluates the organizational structure and 
makes changes as necessary in response to changing conditions. 

5. The agency has the appropriate number of employees, particularly in 
managerial positions. Consider the following: 

* Managers and supervisors have time to carry out their duties and 
responsibilities. 

* Employees do not have to work excessive overtime or outside the 
ordinary workweek to complete assigned tasks. 

* Managers and supervisors are not fulfilling the roles of more than 
one employee. 

Assignment of Authority and Responsibility: 

1. The agency appropriately assigns authority and delegates 
responsibility to the proper personnel to deal with organizational 
goals and objectives. Consider the following: 

* Authority and responsibility are clearly assigned throughout the 
organization and this is clearly communicated to all employees. 

* Responsibility for decision-making is clearly linked to the 
assignment of authority, and individuals are held accountable 
accordingly. 

* Along with increased delegation of authority and responsibility, 
management has effective procedures to monitor results. 

2. Each employee knows (1) how his or her actions interrelate to 
others considering the way in which authority and responsibilities are 
assigned, and (2) is aware of the related duties concerning internal 
control. Consider the following: 

* Job descriptions clearly indicate the degree of authority and 
accountability delegated to each position and the responsibilities 
assigned. 

* Job descriptions and performance evaluations contain specific 
references to internal control-related duties, responsibilities, and 
accountability. 

3. The delegation of authority is appropriate in relation to the 
assignment of responsibility. Consider the following: 

* Employees at the appropriate levels are empowered to correct 
problems or implement improvements. 

* There is an appropriate balance between the delegation of authority 
at lower levels to "get the job done" and the involvement of senior-
level personnel. 

1. Human Resource Policies and Practices: 

Policies and procedures are in place for hiring, orienting, training, 
evaluating, counseling, promoting, compensating, disciplining, and 
terminating employees. Consider the following: 

* Management communicates information to recruiters about the type of 
competencies needed for the work or participates in the hiring process. 

* The agency has standards or criteria for hiring qualified people, 
with emphasis on education, experience, accomplishment, and ethical 
behavior. 

* Position descriptions and qualifications are in accordance with OPM 
guidance and standardized throughout the agency for similar jobs. 

* A training program has been established and includes orientation 
programs for new employees and ongoing training for all employees. 

* Promotion, compensation, and rotation of employees are based on 
periodic performance appraisals. 

* Performance appraisals are linked to the goals and objectives 
included in the agency's strategic plan. 

* The importance of integrity and ethical values is reflected in 
performance appraisal criteria. 

* Employees are provided with appropriate feedback and counseling on 
their job performance and suggestions for improvements. 

* Disciplinary or remedial action is taken in response to violations 
of policies or ethical standards. 

* Employment is terminated, following established policies, when 
performance is consistently below standards or there are significant 
and serious violations of policy. 

* Management has established criteria for employee retention and 
considers the effect upon operations if large numbers of employees are 
expected to leave or retire in a given period.  

2. Background checks are conducted on candidates for employment. 
Consider the following:  

* Candidates who change jobs often are given particularly close 
attention.  

* Hiring standards require investigations for criminal records for all 
potential employees.  

* References and previous employers are contacted.  

* Educational and professional certifications are confirmed.  

3. Employees are provided a proper amount of supervision. Consider the 
following:  

* Employees receive guidance, review, and on-the-job training from 
supervisors to help ensure proper work flow and processing of 
transactions and events, reduce misunderstandings, and discourage 
wrongful acts.  

* Supervisory personnel ensure that staff are aware of their duties 
and responsibilities and management's expectations.  

Oversight Groups: 

1. Within the agency, there are mechanisms in place to monitor and 
review operations and programs. Consider the following:  

* An Inspector General, who is independent from management, audits and 
reviews agency activities.  

* The agency has an audit committee or senior management council 
consisting of high-level line and staff executives that review the 
internal audit work and coordinate closely with the Inspector General 
and external auditors. 

* If there is an internal audit operation it reports to the agency 
head.[Footnote 4] 

* The internal audit function reviews that agency's activities and 
systems and provides information, analyses, appraisals, 
recommendations, and counsel to management. 

2. The agency works closely with executive branch oversight 
organizations. Consider the following: 

* The agency has a good working relationship with OMB, and major 
officials, including the CFO, meet regularly with OMB personnel to 
discuss areas such as financial and budgetary reporting, internal 
control, and management's performance. 

* High-level agency personnel maintain good working relationships with 
other executive branch agencies that exercise multi-agency control 
responsibilities, such as the Department of the Treasury, the General
Services Administration, and OPM. 

3. The agency maintains a close relationship with Congress in general 
and oversight committees in particular. Consider the following: 

* The agency provides Congress and oversight committees with timely 
and accurate information to allow monitoring of agency activities, 
including review of the agency's (1) mission and goals, (2) 
performance reporting, and (3) financial position and operating 
results. 

* High-level agency officials meet regularly with congressional and 
GAO staff to discuss major issues affecting operations, internal 
control, performance, and other major agency activities and programs. 

Control Environment Summary Section: Provide General Conclusions and 
Actions Needed Here: 

[End of section] 

Risk Assessment: 

The second internal control standard addresses risk assessment. A 
precondition to risk assessment is the establishment of clear, 
consistent agency goals and objectives at both the entity level and at 
the activity (program or mission) level. Once the objectives have been 
set, the agency needs to identify the risks that could impede the 
efficient and effective achievement of those objectives at the entity 
level and the activity level. Internal control should provide for an 
assessment of the risks the agency faces from both internal and 
external sources. Once risks have been identified, they should be 
analyzed for their possible effect. Management then has to formulate 
an approach for risk management and decide upon the internal control 
activities required to mitigate those risks and achieve the internal 
control objectives of efficient and effective operations, reliable 
financial reporting, and compliance with laws and regulations. A 
manager or evaluator will focus on management's processes for 
objective setting, risk identification, risk analysis, and management 
of risk during times of change. Listed below are factors a user might 
consider. The list is a beginning point. It is not all-inclusive nor 
will every item apply to every agency or activity within the agency. 
Even though some of the functions and points may be subjective in 
nature and require the use of judgment, they are important in 
performing risk assessment. 

Establishment of Entitywide Objectives: 

1. The agency has established entitywide objectives that provide 
sufficiently broad statements and guidance about what the agency is 
supposed to achieve, yet are specific enough to relate directly to the 
agency. Consider the following: 

* Management has established overall entitywide objectives in the form 
of mission, goals, and objectives, such as those defined in strategic 
and annual performance plans developed under the GPRA. 

* The entitywide objectives relate to and stem from program 
requirements established by legislation. 

* The entitywide objectives are specific enough to clearly apply to 
the agency instead of applying to all agencies. 

2. Entitywide objectives are clearly communicated to all employees, 
and management obtains feedback signifying that the communication has 
been effective. 

3. There is a relationship and consistency between the agency's 
operational strategies and the entitywide objectives. Consider the 
following:  

* Strategic plans support the entitywide objectives.  

* Strategic plans address resource allocations and priorities.  

* Strategic plans and budgets are designed with an appropriate level 
of detail for various management levels.  

* Assumptions made in strategic plans and budgets are consistent with 
the agency's historical experience and current circumstances.  

4. The agency has an integrated management strategy and risk 
assessment plan that considers the entitywide objectives and relevant 
sources of risk from internal management factors and external sources 
and establishes a control structure to address those risks.  

Establishment of Activity-Level Objectives: 

1. Activity-level (program or mission-level) objectives flow from and 
are linked with the agency's entitywide objectives and strategic 
plans. Consider the following:  

* All significant activities are adequately linked to the entitywide 
objectives and strategic plans.  

* Activity-level objectives are reviewed periodically to assure that 
they have continued relevance.  

2. Activity-level objectives are complementary, reinforce each other, 
and are not contradictory.  

3. The activity-level objectives are relevant to all significant 
agency processes. Consider the following:  

* Objectives have been established for all the key operational 
activities and the support activities.  

* Activity-level objectives are consistent with effective past 
practices and performance, and are consistent with any industry or 
business norms that may be applicable to the agency's operations. 

4. Activity-level objectives include measurement criteria.  

5. Agency resources are adequate relative to the activity-level 
objectives. Consider the following:  

* The resources needed to meet the objectives have been identified.  

* If adequate resources are not available, management has plans to 
acquire them.  

6. Management has identified those activity-level objectives that are 
critical to the success of the overall entitywide objectives. Consider 
the following:  

* Management has identified the things that must occur or happen if 
the entitywide objectives are to be met.  

* The critical activity-level objectives receive particular attention 
and review from management and their performance is monitored 
regularly.  

7. All levels of management are involved in establishing the activity-
level objectives and are committed to their achievement.  

Risk Identification: 

1. Management comprehensively identifies risk using various 
methodologies as appropriate. Consider the following:  

* Qualitative and quantitative methods are used to identify risk and 
determine relative risk rankings on a scheduled and periodic basis.  

* How risk is to be identified, ranked, analyzed, and  mitigated is 
communicated to appropriate staff.  

* Risk identification and discussion occur in senior-level management 
conferences. 

* Risk identification takes place as a part of short-term and long-
term forecasting and strategic planning. 

* Risk identification occurs as a result of consideration of findings 
from audits, evaluations, and other assessments. 

* Risks that are identified at the employee and mid-management level 
are brought to the attention of senior-level managers. 

2. Adequate mechanisms exist to identify risks to the agency arising 
from external factors. Consider the  following: 

* The agency considers the risks associated with technological 
advancements and developments. 

* Consideration is given to risks arising from the changing needs or 
expectations of Congress, agency officials, and the public. 

* Risks posed by new legislation or regulations are identified. 

* Risks to the agency as a result of possible natural catastrophes or 
criminal or terrorist actions are taken into account. 

* Identification of risks resulting from business, political, and 
economic changes are determined. 

* Consideration is given to the risks associated with major suppliers 
and contractors. 

* The agency carefully considers any risks resulting from its 
interactions with various other federal entities and parties outside 
the government. 

3. Adequate mechanisms exist to identify risks to the agency arising 
from internal factors. Consider the following: 

* Risks resulting from downsizing of agency operations and personnel 
are considered. 

* The agency identifies risks associated with business process 
reengineering or redesign of operating processes. 

* Consideration is given to risks posed by disruption of information 
systems processing and the extent to which backup systems are 
available and can be implemented. 

* The agency identifies any potential risks due to highly 
decentralized program operations. 

* Consideration is given to possible risks resulting from the lack of 
qualifications of personnel hired or the extent to which they have 
been trained or not trained. 

* Risks resulting from heavy reliance on contractors or other related 
parties to perform critical agency operations are identified. 

* The agency identifies any risks that might be associated with major 
changes in managerial responsibilities. 

* Risks resulting from unusual employee access to vulnerable assets 
are considered. 

* Risk identification activities consider certain human capital-
related risks, such as the inability to provide succession planning 
and retain key personnel who can affect the ability of the agency or 
program activity to function effectively, and the inadequacy of
 compensation and benefit programs to keep the agency competitive with 
the private sector for labor. 
 
* Risks related to the availability of future funding for new programs 
or the continuation of current programs are assessed.  

4. In identifying risk, management assesses other factors that may 
contribute to or increase the risk to which the agency is exposed. 
Consider the following:  

* Management considers any risks related to past failures to meet 
agency missions, goals, or objectives or failures to meet budget 
limitations.  

* Consideration is given to risks indicated by a history of improper 
program expenditures, violations of funds control, or other statutory 
noncompliance.  

* The agency identifies any risks inherent to the nature of its 
mission or to the significance and complexity of any specific programs 
or activities it undertakes.  

5. Management identifies risks both entitywide and for each 
significant activity-level of the agency.  

Risk Analysis: 

1.After the risks to the agency have been identified, management 
undertakes a thorough and complete analysis of their possible effect. 
Consider the following:  

* Management has established a formal process to analyze risks, and 
that process may include informal analysis based on day-to-day 
management activities.  

* Criteria have been established for determining low, medium, and high 
risks.  

* Appropriate levels of management and employees are involved in the 
risk analysis.  

* The risks identified and analyzed are relevant to the corresponding 
activity objective.  

* Risk analysis includes estimating the risk's significance. 

* Risk analysis includes estimating the likelihood and frequency of 
occurrence of each risk and determining whether it falls into the low, 
medium, or high-risk category. 

* A determination is made on how best to manage or mitigate the risk 
and what specific actions should be taken. 

2. Management has developed an approach for risk management and 
control based on how much risk can be prudently accepted. Consider the 
following: 

* The approach can vary from one agency to another depending upon 
variances in risks and how much risk can be tolerated, but seems 
appropriate to the agency. 

* The approach is designed to keep risks within levels judged to be 
appropriate and management takes responsibility for setting the 
tolerable risk level. 

* Specific control activities are decided upon to manage or mitigate 
specific risks entitywide and at each activity level, and their 
implementation is monitored. 

Managing Risk During Change: 

1. The agency has mechanisms in place to anticipate, identify, and 
react to risks presented by changes in governmental, economic, 
industry, regulatory, operating, or other conditions that can affect 
the achievement of entitywide or activity-level goals and objectives. 
Consider the following: 

* All activities within the agency that might be significantly 
affected by changes are considered in the process. 

* Routine changes are addressed through the established risk 
identification and analysis processes. 

* Risks resulting from conditions that are significantly changing are 
addressed at sufficiently high levels within the agency so that their 
full impact on the organization is considered and appropriate actions 
are taken. 

2. The agency gives special attention to risks presented by changes 
that can have a more dramatic and pervasive effect on the entity and 
may demand the attention of senior officials. Consider the following: 

* The agency is especially attentive to risks caused by the hiring of 
new personnel to occupy key positions or by high personnel turnover in 
any particular area. 

* Mechanisms exist to assess the risks posed by the introduction of 
new or changed information systems and risks involved in training 
employees to use the new systems and to accept the changes. 

* Management gives special consideration to the risks presented by 
rapid growth and expansion or rapid downsizing and the effects on 
systems capabilities and revised strategic plans, goals, and 
objectives. 

* Consideration is given to the risks involved when introducing major 
new technological developments and applications and incorporating them 
into the operating processes. 

* The risks are extensively analyzed whenever the agency begins the 
production or provision of new outputs or services. 

* Risks resulting from the establishment of operations in a new 
geographical area are assessed. 

Risk Assessment Summary Section: Provide General Conclusions and 
Actions Needed Here: 

[End of section] 

Control Activities: 

The third internal control standard addresses control activities. 
Internal control activities are the policies, procedures, techniques, 
and mechanisms that help ensure that management's directives to 
mitigate risks identified during the risk assessment process are 
carried out. Control activities are an integral part of the agency's 
planning, implementing, and reviewing. They are essential for proper 
stewardship and accountability for government resources and for 
achieving effective and efficient program results. 

Control activities occur at all levels and functions of the agency. 
They include a wide range of diverse activities, such as approvals, 
authorizations, verifications, reconciliations, performance reviews, 
security activities, and the production of records and documentation. 
A manager or evaluator should focus on control activities in the 
context of the agency's management directives to address risks 
associated with established objectives for each significant activity 
(program or mission). Therefore, a manager or evaluator will consider 
whether control activities relate to the risk-assessment process and 
whether they are appropriate to ensure that management's directives 
are carried out. In assessing the adequacy of internal control 
activities, a reviewer should consider whether the proper control 
activities have been established, whether they are sufficient in 
number, and the degree to which those activities are operating 
effectively. This should be done for each significant activity. This 
analysis and evaluation should also include controls over computerized 
information systems. A manager or evaluator should consider not only 
whether established control activities are relevant to the risk-
assessment process, but also whether they are being applied properly. 

The control activities put into place in a given agency may vary 
considerably from those used in a different agency. This difference 
may occur because of the (1) variations in missions, goals, and 
objectives of the agencies; (2) differences in their environment and 
manner in which they operate; (3) variations in degree of 
organizational complexity; (4) differences in agency histories and 
culture; and (5) differences in the risks that the agencies face and 
are trying to mitigate. It is probable that, even if two agencies did 
have the same missions, goals, objectives, and organizational 
structures, they would employ different control activities. This is 
due to individual judgment, implementation, and management. All of 
these factors affect an agency's internal control activities, which 
should be designed accordingly to contribute to the achievement of the 
agency's missions, goals, and objectives. 

Given the wide variety of control activities that agencies may employ, 
it would be impossible for this tool to address them all. However, 
there are some general, overall points to be considered by managers 
and evaluators, as well as several major categories or types of 
control activity factors that are applicable at various levels 
throughout practically all federal agencies. In addition, there are 
some control activity factors specifically designed for information 
systems. These factors and related points and subsidiary points are 
listed below as examples of issues to be considered. They are meant to 
illustrate the range and variety of control activities that are 
typically used. The list is a beginning point. It is not all-
inclusive, and not every point or subsidiary point may apply to every 
agency or activity within the agency. Even though some of the 
functions and points may be subjective in nature and require the use 
of judgment, they are important in assessing the appropriateness of 
the agency's internal control activities. 

General Application: 

1. Appropriate policies, procedures, techniques, and mechanisms exist 
with respect to each of the agency's activities. Consider the 
following: 

* All relevant objectives and associated risks for each significant 
activity have been identified in conjunction with conducting the risk 
assessment and analysis function. 

* Management has identified the actions and control activities needed 
to address the risks and directed their implementation. 

2. The control activities identified as necessary are in place and 
being applied. Consider the following: 

* Control activities described in policy and procedures manuals are 
actually applied and applied properly. 

* Supervisors and employees understand the purpose of internal control 
activities. 

* Supervisory personnel review the functioning of established control 
activities and remain alert for instances in which excessive control 
activities should be streamlined. 

* Timely action is take on exceptions, implementation problems, or 
information that requires follow-up. 

3. Control activities are regularly evaluated to ensure that they are 
still appropriate and working as intended.[Footnote 5] 

Common Categories of Control Activities: 

1. Top-Level Reviews - Management tracks major agency achievements in 
relation to its plans. Consider the following: 

* Top-level management regularly reviews actual performance against 
budgets, forecasts, and prior period results. 

* Top management is involved in developing 5-year and annual 
performance plans and targets in accordance with GPRA and measuring 
and reporting results against those plans and targets. 

* Major agency initiatives are tracked for target achievement and 
follow-up actions are taken. 

2. Management Reviews at the Functional or Activity Level - Agency 
managers review actual performance against targets. Consider the 
following: 

* Managers at all activity levels review performance reports, analyze 
trends, and measure results against targets. 

* Both financial and program managers review and compare financial, 
budgetary, and operational performance to planned or expected results. 

* Appropriate control activities are employed, such as reconciliations 
of summary information to supporting detail and checking the accuracy 
of summarizations of operations. 

3. Management of Human Capital - The agency effectively manages the 
organization's workforce to achieve results. Consider the following: 
[Footnote 6] 

* A clear and coherent shared vision of agency mission, goals, values, 
and strategies is explicitly identified in the strategic plan, annual 
performance plan, and other guiding documents, and that view has been 
clearly and consistently communicated to all employees. 

* The agency has a coherent overall human capital strategy, as 
evidenced in its strategic plan, performance plan, or separate human 
capital planning document; and that strategy encompasses human
capital policies, programs, and practices to guide the agency. 

* The agency has a specific and explicit workforce planning strategy, 
linked to the overall strategic plan, and that allows for 
identification of current and future human capital needs. 

* The agency has defined the type of leaders it wants through written 
descriptions of roles, responsibilities, attributes, and competencies 
and has established broad performance expectations for them. 

* Senior leaders and managers attempt to build teamwork, reinforce the 
shared vision of the agency, and encourage feedback from employees, as
evidenced by actions taken to communicate this to all employees and 
the existence of opportunities for management to obtain feedback. 

* The agency's performance management system is given a high priority 
by top-level officials, and it is designed to guide the workforce to 
achieve the agency's shared vision/mission. 

* Procedures are in place to ensure that personnel with appropriate 
competencies are recruited and retained for the work of the agency, 
including a formal recruiting and hiring plan with explicit links to 
skill needs the agency has identified. 

* Employees are provided orientation, training, and tools to perform 
their duties and responsibilities, improve performance, enhance their 
capabilities, and meet the demands of changing organizational needs. 

* The compensation system is adequate to acquire, motivate, and retain 
personnel, and incentives and rewards are provided to encourage 
personnel to perform at maximum capability. 

* The agency provides workplace flexibilities, services, and 
facilities (e.g., career counseling, flextime, casual-dress days, and 
childcare) to help it compete for talent and enhance employee 
satisfaction and commitment. 

* Qualified and continuous supervision is provided to ensure that 
internal control objectives are being met. 

* Meaningful, honest, constructive performance evaluation and feedback 
are provided to help employees understand the connection between their 
performance and the achievement of the agency's goals. 

* Management conducts succession planning to ensure continuity of 
needed skills and abilities. 

4. Information Processing - The agency employs a variety of control 
activities suited to information processing systems to ensure accuracy 
and completeness. Consider the following:[Footnote 7] 

* Edit checks are used in controlling data entry. 

* Accounting for transactions is performed in numerical sequences. 

* File totals are compared with control accounts. 

* Exceptions or violations indicated by other control activities are 
examined and acted upon. 

* Access to data, files, and programs is appropriately controlled. 

5. Physical Control Over Vulnerable Assets - The agency employs 
physical control to secure and safeguard vulnerable assets. Consider 
the following: 

* Physical safeguarding policies and procedures have been developed, 
implemented, and communicated to all employees. 

* The agency has developed a disaster recovery plan, which is 
regularly updated and communicated to employees. 

* The agency has developed a plan for the identification of and 
protection of any critical infrastructure assets.[Footnote 8] 

* Assets that are particularly vulnerable to loss, theft, damage, or 
unauthorized use, such as cash, securities, supplies, inventories, and 
equipment, are physically secured and access to them controlled.
* Assets such as cash, securities, supplies, inventories, and 
equipment are periodically counted and compared to control records and 
exceptions examined. 

* Cash and negotiable securities are maintained under lock and key and 
access to them strictly controlled. 

* Forms such as blank checks and purchase orders are sequentially pre-
numbered and physically secured and access to them strictly controlled.
* Mechanical check signers and signature plates are physically 
protected and access to them strictly controlled. 

* Equipment vulnerable to theft is securely fastened or protected in 
some other manner. 

* Identification plates and numbers are affixed to office furniture 
and fixtures, equipment, and other portable assets. 

* Inventories, supplies, and finished items/goods are stored in 
physically secured areas and protected from damage. 

* Facilities are protected from fire by fire alarms and sprinkler 
systems. 

* Access to premises and facilities is controlled by fences, guards, 
and/or other physical controls. 

* Access to facilities is restricted and controlled during nonworking 
hours. 

6. Performance Measures and Indicators - The agency has established 
and monitors performance measures and indicators. Consider the 
following: 

* Performance measures and indicators have been established throughout 
the organization at the entitywide, activity, and individual level. 

* The agency periodically reviews and validates the propriety and 
integrity of both organizational and individual performance measures 
and indicators. 

* Performance measurement assessment factors are evaluated to ensure 
they are linked to mission, goals, and objectives, and are balanced 
and set appropriate incentives for achieving goals while complying 
with law, regulations, and ethical standards. 

* Actual performance data are continually compared against 
expected/planned goals and differences are analyzed. 

* Comparisons are made relating different sets of data to one another 
so that analyses of the relationships can be made and corrective 
actions can be taken if necessary. 

* Investigation of unexpected results or unusual trends leads to 
identification of circumstances in which the achievement of goals and 
objectives may be threatened and corrective action is taken. 

* Analysis and review of performance measures and indicators are used 
for both operational and financial reporting control purposes. 

7. Segregation of Duties - Key duties and responsibilities are divided 
or segregated among different people to reduce the risk of error, 
waste, or fraud. Consider the following: 

* No one individual is allowed to control all key aspects of a 
transaction or event. 

* Responsibilities and duties involving transactions and events are 
separated among different employees with respect to authorization, 
approval, processing and recording, making payments or receiving 
funds, review and auditing, and the custodial functions and handling 
of related assets. 

* Duties are assigned systematically to a number of individuals to 
ensure that effective checks and balances exist. 

* Where feasible, no one individual is allowed to work alone with 
cash, negotiable securities, or other highly venerable assets. 

* The responsibility for opening mail is assigned to individuals who 
have no responsibilities for or access to files or documents 
pertaining to accounts receivable or cash accounts. 

* Bank accounts are reconciled by employees who have no 
responsibilities for cash receipts, disbursements, or custody. 

* Management is aware that collusion can reduce or destroy the control 
effectiveness of segregation of duties and, therefore, is especially 
alert for it and attempts to reduce the opportunities for it to occur. 

8. Execution of Transactions and Events - Transactions and other 
significant events are authorized and performed by the appropriate 
personnel. Consider the following: 

* Controls ensure that only valid transactions and other events are 
initiated or entered into, in accordance with management's decisions 
and directives. 

* Controls are established to ensure that all transactions and other 
significant events that are entered into are authorized and executed 
only by employees acting within the scope of their authority. 

* Authorizations are clearly communicated to managers and employees 
and include the specific conditions and terms under which 
authorizations are to be made. 

* The terms of authorizations are in accordance with directives and 
within limitations established by law, regulation, and management. 

9. Recording of Transactions and Events - Transactions and other 
significant events are properly classified and promptly recorded. 
Consider the following: 

* Transactions and events are appropriately classified and promptly 
recorded so that they maintain their relevance, value, and usefulness 
to management in controlling operations and making decisions. 

* Proper classification and recording take place throughout the entire 
life cycle of each transaction or event, including authorization, 
initiation, processing, and final classification in summary records. 

* Proper classification of transactions and events includes 
appropriate organization and format of information on original 
documents (hardcopy paper or electronic) and summary records from 
which reports and statements are prepared. 

* Excessive adjustments to numbers or account classifications are not 
necessary prior to finalization of financial reports. 

10. Access Restrictions to and Accountability for Resources and 
Records - Access to resources and records is limited and 
accountability for their custody is assigned. Consider the following: 

* The risk of unauthorized use or loss is controlled by restricting 
access to resources and records only to authorized personnel. 

* Accountability for resources and records custody and use is assigned 
to specific individuals. 

* Access restrictions and accountability assignments for custody are 
periodically reviewed and maintained. 

* Periodic comparison of resources with the recorded accountability is 
made to determine if the two agree, and differences are examined. 

* How frequently actual resources are compared to records and the 
degree of access restrictions are functions of the vulnerability of 
the resource to the risk of errors, fraud, waste, misuse, theft, or 
unauthorized alteration. 

* Management considers such factors as asset value, portability, and 
exchangeability when determining the appropriate degree of access 
restrictions. 

* As a part of assigning and maintaining accountability for resources 
and records, management informs and communicates those 
responsibilities to specific individuals within the agency and assures 
that those people are aware of their duties for appropriate custody 
and use of those resources. 

11. Documentation - Internal Control and all transactions and other 
significant events are clearly documented. Consider the following: 

* Written documentation exists covering the agency's internal control 
structure and for all significant transactions and events. 

* The documentation is readily available for examination. 

* The documentation for internal control includes identification of 
the agency's activity-level functions and related objectives and 
control activities and appears in management directives, 
administrative policies, accounting manuals, and other such manuals. 

* Documentation for internal control includes documentation describing 
and covering automated information systems, data collection and 
handling, and the specifics of general and application control related 
to such systems.[Footnote 9] 

* Documentation of transactions and other significant events is 
complete and accurate and facilitates tracing the transaction or event 
and related information from authorization and initiation, through its 
processing, to after it is completed. 

* Documentation, whether in paper or electronic form, is useful to 
managers in controlling their operations and to any others involved in 
evaluating or analyzing operations. 

* All documentation and records are properly managed, maintained, and 
periodically updated. 

Control Activities Specific for Information Systems — General Control: 

As stated in the introduction to the Control Activities Section, there 
are some control activity factors specifically designed for 
information systems. As discussed in the standard, there are two broad 
groupings of information systems control - general control and 
application control. General control includes the structure, policies, 
and procedures that apply to the agency's overall computer operations. 
It applies to all information systems - mainframe, minicomputer, 
network, and end-user environments. General control creates the 
environment in which the agency's application systems operate. General 
control activities are presented first followed by application control 
activities. 

There are six major factors or categories of control activities that 
need to be considered by the user when evaluating general control: 
entitywide security management program, access control, application 
software development and change, system software control, segregation 
of duties, and service continuity. The factors and related points and 
some subsidiary points are listed below as examples of issues to be 
considered. They are meant to illustrate the range and variety of 
general control activities that are typically used. They are not all-
inclusive. Users should refer to the list of critical elements and 
control activities pertaining to general control provided in
GAO's Federal Information System Controls Audit Manual (FISCAM) 
(GAO/AIMD-12.19.6, January 1999). The list below summarizes the 
FISCAM's list; however, users should refer to the FISCAM for more 
detailed guidance in performing their evaluation and analysis. 

Entitywide Security Management Program: 

1. The agency periodically performs a comprehensive, high-level 
assessment of risks to its information systems. Consider the following: 

* Risk assessments are performed and documented regularly and whenever 
systems, facilities, or other conditions change. 

* Risk assessments consider data sensitivity and integrity. 

* Final risk determinations and managerial approvals are documented 
and kept on file. 

2. The agency has developed a plan that clearly describes the 
entitywide security program and policies and procedures that support 
it. 

3. Senior management has established a structure to implement and 
manage the security program throughout the agency, and security 
responsibilities are clearly defined.  

4. The agency has implemented effective security-related personnel 
policies.  

5. The agency monitors the security program's effectiveness and makes 
changes as needed. Consider the following:  

* Management periodically assesses the appropriateness of security 
policies and compliance with them.  

* Corrective actions are promptly and effectively implemented and 
tested, and they are continually monitored.  

Access Control: 

1. The agency classifies information resources according to their 
criticality and sensitivity. Consider the following:  

* Resource classifications and related criteria have been 
 established and communicated to resource owners. 
 
* Resource owners have classified their information resources based on 
the approved criteria and with regard to risk determinations and 
assessments and have documented those classifications.  

2. Resource owners have identified authorized users, and their access 
to the information has been formally authorized.  

3. The agency has established physical and logical controls to prevent 
or detect unauthorized access.  

4. The agency monitors information systems access, investigates 
apparent violations, and takes appropriate remedial and disciplinary 
action.  

Application Software Development and Change Control: 

1. Information system processing features and program modifications 
are properly authorized.  

2. All new or revised software is thoroughly tested and approved.  

3. The agency has established procedures to ensure control of its 
software libraries, including labeling, access restrictions, and use 
of inventories and separate libraries.  

System Software Control: 

1. The agency limits access to system software based on job 
responsibilities, and access authorization is documented.  

2. Access to and use of system software are controlled and monitored. 

3. The agency controls changes made to the system software.  

Segregation of Duties: 

1. Incompatible duties have been identified and policies implemented 
to segregate those duties.  

2. Access controls have been established to enforce segregation of 
duties.  

3. The agency exercises control over personnel activities through the 
use of formal operating procedures, supervision, and review.  

Service Continuity: 

1. The criticality and sensitivity of computerized operations have 
been assessed and prioritized, and supporting resources have been 
identified. 

2. The agency has taken steps to prevent and minimize potential damage 
and interruption through the use of data and program backup procedures 
including off-site storage of backup data as well as environmental 
controls, staff training, and hardware maintenance and management. 

3. Management has developed and documented a comprehensive contingency 
plan. 

4. The agency periodically tests the contingency plan and adjusts it 
as appropriate. 

Control Activities Specific for Information Systems — Application 
Control: 

Application control covers the structure, policies, and procedures 
designed to help ensure completeness, accuracy, authorization, and 
validity of all transactions during application processing. It 
includes both the routines contained within the computer program code 
as well as the policies and procedures associated with user 
activities, such as manual measures performed by the user to determine 
that the data were processed accurately by the computer. 

There are four major factors or categories of control activities that 
need to be considered by the user when evaluating application control: 
authorization control, completeness control, accuracy control, and 
control over integrity of processing and data files. The factors and 
related points and some subsidiary points are listed below as examples 
of issues to be considered. They are meant to illustrate the range and 
variety of application control activities that are typically used.
They are not all-inclusive. In the future, application control 
evaluation and testing will be addressed in Chapter 4 of GAO's Federal 
Information System Controls Audit Manual (FISCAM) (GAO/AIMD-12.19.6, 
January 1999). That chapter is currently under development and is 
expected to be issued with the first update of the FISCAM. However, 
the list of factors, points, and subsidiary points provided below 
generally follows the guidance expected to be issued in the
FISCAM. Users should refer to Chapter 4 of the FISCAM, when issued, 
for more detailed guidance in performing their evaluation and analysis. 

Authorization Control: 

1. Source documents are controlled and require authorization. Consider 
the following: 

* Access to blank source documents is restricted. 

* Source documents are pre-numbered sequentially. 

* Key source documents require authorizing signatures. 

* For batch application systems, batch control sheets are used 
providing information such as date, control number, number of 
documents, and control totals for key fields. 

* Supervisory or independent review of data occurs before it is 
entered into the application system. 

2. Data entry terminals have restricted access. 

3. Master files and exception reporting are used to ensure that all 
data processed are authorized. 

Completeness Control: 

1. All authorized transactions are entered into and processed by the 
computer.  

2. Reconciliations are performed to verify data completeness.  

Accuracy Control: 

1. The agency's data entry design features contribute to data 
accuracy.  

2. Data validation and editing are performed to identify erroneous 
data.  

3. Erroneous data are captured, reported, investigated, and promptly 
corrected.  

4. Output reports are reviewed to help maintain data accuracy and 
validity.  

Control Over Integrity of Processing and Data Files:  

1. Procedures ensure that the current version of production programs 
and data files are used during processing.  

2. Programs include routines to verify that the proper version of the 
computer file is used during processing.  

3. Programs include routines for checking internal file header labels 
before processing.  

4. The application protects against concurrent file updates.  

Control Activities Summary Section: Provide General Conclusions and 
Actions Needed Here: 

[End of section] 

Information And Communications: 

According to the fourth internal control standard, for an agency to 
run and control its operations, it must have relevant, reliable 
information, both financial and nonfinancial, relating to external as 
well as internal events. That information should be recorded and 
communicated to management and others within the agency who need it 
and in a form and within a time frame that enables them to carry out 
their internal control and operational responsibilities. In addition, 
the agency needs to make sure that the forms of communications are 
broad-based and that information technology management assures useful, 
reliable, and continuous communications. Managers and evaluators 
should consider the appropriateness of information and communication 
systems to the entity's needs and the degree to which they accomplish 
the objectives of internal control. Listed below are factors a user 
might consider. The list is a beginning point. It is not all-inclusive 
nor will every item apply to every agency or activity within the 
agency. Even though some of the functions and points may be subjective 
in nature and require the use of judgment, they are important in 
collecting appropriate data and information and in establishing and 
maintaining good communications. 

Information: 

1. Information from internal and external sources is obtained and 
provided to management as a part of the agency's reporting on 
operational performance relative to established objectives. Consider 
the following: 

* Internally generated information critical to achieving the agency's 
objectives, including information relative to critical success 
factors, is identified and regularly reported to management. 

* The agency obtains and reports to managers any relevant external 
information that may affect the achievement of its missions, goals, 
and objectives, particularly that related to legislative or regulatory 
developments and political or economic changes. 

* Internal and external information needed by managers at all levels 
is reported to them. 

2. Pertinent information is identified, captured, and distributed to 
the right people in sufficient detail, in the right form, and at the 
appropriate time to enable them to carry out their duties and 
responsibilities efficiently and effectively. Consider the following: 

* Managers receive analytical information that helps them identify 
specific actions that need to be taken.  

* Information is provided at the right level of detail for different 
levels of management.  

* Information is summarized and presented appropriately and provides 
pertinent information while permitting a closer inspection of details 
as needed.  

* Information is available on a timely basis to allow effective 
monitoring of events, activities, and transactions and to allow prompt 
reaction.  

* Program managers receive both operational and financial information 
to help them determine whether they are meeting the strategic and 
annual performance plans and meeting the agency's goals for 
 accountability of resources. 
 
* Operational information is provided to managers so that they may 
determine whether their programs comply with applicable laws and 
regulations.  

* The appropriate financial and budgetary information is provided for 
both internal and external financial reporting.  

Communications:   

1. Management ensures that effective internal communications occur. 
Consider the following:  

* Top management provides a clear message throughout the agency that 
internal control responsibilities are important and must be taken 
seriously.  

* Employees' specific duties are clearly communicated to them and they 
understand the relevant aspects of internal control, how their role 
fits into it, and how their work relates to the work of others. 

* Employees are informed that when the unexpected occurs in performing 
their duties, attention must be given not only to the event, but also 
to the underlying cause, so that potential internal control weaknesses
can be identified and corrected before they can do further harm to the 
agency. 

* Acceptable behavior versus unacceptable behavior and the 
consequences of improper conduct are clearly communicated to all 
employees. 

* Personnel have a means of communicating information upstream within 
the agency through someone other than a direct supervisor, and there 
is a genuine willingness to listen on the part of management. 

* Mechanisms exist to allow the easy flow of information down, across, 
and up the organization, and easy communications exist between 
functional activities, such as between procurement activities and
production activities. 

* Employees indicate that informal or separate lines of communications 
exist, which serve as a "fail-safe" control for normal communications 
avenues. 

* Personnel understand that there will be no reprisals for reporting 
adverse information, improper conduct, or circumvention of internal 
control activities. 

* Mechanisms are in place for employees to recommend improvements in 
operations, and management acknowledges good employee suggestions with 
cash awards or other meaningful recognition. 

* Management communicates frequently with internal oversight groups, 
such as senior management councils, and keeps them informed of 
performance, risks, major initiatives, and any other significant 
events. 

2. Management ensures that effective external communications occur 
with groups that can have a serious impact on programs, projects, 
operations, and other activities, including budgeting and financing. 
Consider the following: 

* Open and effective communications channels have been established 
with customers, suppliers, contractors, consultants, and other groups 
that can provide significant input on quality and design of agency 
products and services. 

* All outside parties dealing with the agency are clearly informed of 
the agency's ethical standards and also understand that improper 
actions, such as improper billings, kickbacks, or other improper 
payments, will not be tolerated. 

* Communications from external parties, such as other federal 
agencies, state and local governments, and other related third 
parties, is encouraged since it can be a source of information on how 
well internal control is functioning. 

* The agency has methods to ensure compliance with the Federal 
Advisory Committee Act of 1972 since such committees may include 
individuals external to the agency with whom communications could 
occur. 

* Complaints or inquires, especially those concerning services, such 
as shipments, receipts, and billings, are welcomed since they can 
point out control problems. 

* Management makes certain that the advice and recommendations of 
Inspectors General and other auditors and evaluators are fully 
considered and that actions are implemented to correct any problems or 
weaknesses they identify. 

* Communications with Congress, OMB, Treasury, other federal agencies, 
state and local governments, the media, the public, and others provide 
information relevant to the requesters' needs so that they can better 
understand the agency's mission, goals, and objectives, better 
understand the risks facing the agency, and thus better understand the 
agency. 

Forms and Means of Communications: 

1. The agency employs many and various forms and means of 
communicating important information with employees and others. 
Consider the following: 

* Management uses effective communications methods, which may include 
policy and procedures manuals, management directives, memoranda, 
bulletin board notices, internet and intranet web pages, videotaped 
messages, e-mail, and speeches. 

* Two of the most powerful forms of communications used by management 
are the positive actions it takes in dealing with personnel throughout 
the organization and its demonstrated support of internal control. 

2. The agency manages, develops, and revises its information systems 
in an effort to continually improve the usefulness and reliability of 
its communication of information. Consider the following: 

* Information systems management is based on a strategic plan for 
information systems that is linked to the agency's overall strategic 
plan. 

* A mechanism exists for identifying emerging information needs. 

* As part of the agency's information management, improvements and 
advances in technology are monitored, analyzed, evaluated, and 
introduced to help the agency respond more rapidly and efficiently to 
those it serves. 

* Management continually monitors the quality of the information 
captured, maintained, and communicated as measured by such factors as 
appropriateness of content, timeliness, accuracy, and accessibility. 

* Management's support for the development of information technology 
is demonstrated by its commitment of appropriate human and financial
resources to the effort. 

Information and Communications Summary Section: Provide General 
Conclusions and Actions Needed Here: 

[End of section] 

Monitoring: 

Monitoring is the final internal control standard. Internal control 
monitoring should assess the quality of performance over time and 
ensure that the findings of audits and other reviews are promptly 
resolved. In considering the extent to which the continued 
effectiveness of internal control is monitored, both ongoing 
monitoring activities and separate evaluations of the internal control 
system, or portions thereof, should be considered. Ongoing monitoring 
occurs during normal operations and includes regular management and 
supervisory activities, comparisons, reconciliations, and other 
actions people take in performing their duties. It includes ensuring 
that managers and supervisors know their responsibilities for internal 
control and the need to make control and control monitoring part of 
their regular operating processes. Separate evaluations are a way to 
take a fresh look at internal control by focusing directly on the 
controls' effectiveness at a specific time. These evaluations may take 
the form of self-assessments as well as review of control design and 
direct testing, and may include the use of this Management and 
Evaluation Tool or some similar device. In addition, monitoring 
includes policies and procedures for ensuring that any audit and 
review findings and recommendations are brought to the attention of 
management and are resolved promptly. Managers and evaluators should 
consider the appropriateness of the agency's internal control 
monitoring and the degree to which it helps them accomplish their 
objectives. Listed below are factors a user might consider. The list 
is a beginning point. It is not all-inclusive, and every item might 
not apply to every agency or activity within the agency. Even though 
some of the functions and points may be subjective in nature and 
require the use of judgment, they are important in establishing and 
maintaining good internal control monitoring policies and procedures. 

Ongoing Monitoring: 

1. Management has a strategy to ensure that ongoing monitoring is 
effective and will trigger separate evaluations where problems are 
identified or systems are critical and testing is periodically 
desirable. Consider the following: 

* Management's strategy provides for routine feedback and monitoring 
of performance and control objectives. 

* The monitoring strategy includes methods to emphasize to program and 
operational mangers that they have responsibility for internal control 
and that they should monitor the effectiveness of control activities 
as a part of their regular duties. 

* The monitoring strategy includes methods to emphasize to program 
mangers their responsibility for internal control and their duties to 
regularly monitor the effectiveness of control activities. 

* The monitoring strategy includes identification of critical 
operational and mission support systems that need special review and 
evaluation. 

* The strategy includes a plan for periodic evaluation of control 
activities for critical operational and mission support systems. 

2. In the process of carrying out their regular activities, agency 
personnel obtain information about whether internal control is 
functioning properly. Consider the following: 

* Operating reports are integrated or reconciled with financial and 
budgetary reporting system data and used to manage operations on an 
ongoing basis, and management is aware of inaccuracies or exceptions 
that could indicate internal control problems. 

* Operating management compares production, sales, or other operating 
information obtained in the course of its daily activities to system-
generated information and follows up on any inaccuracies or other 
problems that might be found. 

* Operating personnel are required to "sign-off' on the accuracy of 
their unit's financial statements and are held accountable if errors 
are discovered. 

3. Communications from external parties should corroborate internally 
generated data or indicate problems with internal control. Consider 
the following: 

* Management recognizes that customers paying for invoices help to 
corroborate billing data, while customer complaints indicate that 
deficiencies may exist; and these deficiencies are then investigated 
to determine the underlying causes. 

* Communications from vendors and monthly statements of accounts 
payable are used as control monitoring techniques. 

* Supplier complaints about any unfair practices by agency purchasing 
agents are investigated. 

* Congress and oversight groups communicate information to the agency 
about compliance or other matters that reflect on the functioning of 
internal control, and management follows up on any problems indicated. 

* Control activities that should have prevented or detected any 
problems that arose, but did not function properly, are reassessed. 

4. Appropriate organizational structure and supervision help provide 
oversight of internal control functions. Consider the following: 

* Automated edits and checks as well as clerical activities are used 
to help control accuracy and completeness of transaction processing. 

* Separation of duties and responsibilities is used to help deter 
fraud. 

* The Inspector General is independent and has authority to report 
directly to the agency head and does not conduct agency operations for 
management. 

5. Data recorded by information and financial systems are periodically 
compared with physical assets and discrepancies are examined. Consider 
the following: 

* Inventory levels of materials, supplies, and other assets are 
checked regularly; differences between recorded and actual amounts are 
corrected; and the reasons for the discrepancies resolved. 

* The frequency of the comparison is a function of the vulnerability 
of the asset. 

* Custodial accountability for assets and resources is assigned to 
responsible individuals. 

6. The Inspector General and other auditors and evaluators regularly 
provide recommendations for improvements in internal control with 
management taking appropriate follow-up action. 

7. Meetings with employees are used to provide management with 
feedback on whether internal control is effective. Consider the 
following: 

* Relevant issues, information, and feedback concerning internal 
control raised at training seminars, planning sessions, and other 
meetings are captured and used by management to address problems or 
strengthen the internal control structure. 

* Employee suggestions on internal control are considered and acted 
upon as appropriate. 

* Management encourages employees to identify internal control 
weaknesses and report them to the next supervisory level. 

8. Employees are regularly asked to state explicitly whether they 
comply with the agency's code of conduct or similar agency 
pronouncements of expected employee behavior. Consider the following: 

* Personnel periodically acknowledge compliance with the code of 
conduct. 

* Signatures are required to evidence performance of critical internal 
control functions, such as reconciliations. 

Separate Evaluations: 

1. The scope and frequency of separate evaluations of internal control 
are appropriate for the agency. Consider the following: 

* Consideration is given to the risk assessment results and the 
effectiveness of ongoing monitoring when determining the scope and 
frequency of separate evaluations. 

* Separate evaluations are often prompted by events such as major 
changes in management plans or strategies, major expansion or 
downsizing of the agency, or significant changes in operations or 
processing of financial or budgetary information. 

* Appropriate portions or sections of internal control are evaluated 
regularly. 

* Separate evaluations are conducted by personnel with the required 
skills that may include the agency's Inspector General or an external 
auditor. 

2. The methodology for evaluating the agency's internal control is 
logical and appropriate. Consider the following: 

* The methodology used may include self-assessments using checklists, 
questionnaires, or other such tools, and it may include the use of 
this Management and Evaluation Tool or some similar device. 

* The separate evaluations may include a review of the control design 
and direct testing of the internal control activities. 

* In agencies where large amounts of data are processed by the 
information and/or financial systems, separate evaluation methodology 
employs computer assisted audit techniques to identify indicators of 
inefficiencies, waste, or abuse. 

* The evaluation team develops a plan for the evaluation process to 
ensure a coordinated effort. 

* If the evaluation process is conducted by agency employees, it is 
managed by an executive with the requisite authority, capability, and 
experience. 

Separate Evaluations: 

* The evaluation team gains a sufficient understanding of the agency's 
missions, goals, and objectives and its operations and activities. 

* The evaluation team gains an understanding of how the agency's 
internal control is supposed to work and how it actually does work. 

* The evaluation team analyzes the results of the evaluation against 
established criteria. 

* The evaluation process is properly documented. 

3. If the separate evaluations are conducted by the agency's Inspector 
General, that office has sufficient resources, ability, and 
independence. Consider the following:[Footnote 10] 

* The Inspector General has sufficient levels of competent and 
experienced staff. 

* The Inspector General is organizationally independent and reports to 
the highest levels within the agency. 

* The responsibilities, scope of work, and audit plans of the 
Inspector General are appropriate to the agency's needs. 

4. Deficiencies found during separate evaluations are promptly 
resolved. Consider the following: 

* Deficiencies are promptly communicated to the individual responsible 
for the function and also to at least one level of management above 
that individual. 

* Serious deficiencies and internal control problems are promptly 
reported to top management. 

Audit Resolution:[Footnote 11] 

1. The agency has a mechanism to ensure the prompt resolution of 
findings from audits and other reviews. Consider the following: 

* Managers promptly review and evaluate findings resulting from 
audits, FMFIA and FFMIA assessments, and other reviews, including 
those showing deficiencies and those identifying opportunities for 
improvements. 

* Management determines the proper actions to take in response to 
findings and recommendations. 

* Corrective action is taken or improvements made within established 
time frames to resolve the matters brought to management's attention. 

* In cases where there is disagreement with the findings or 
recommendations, management demonstrates that those findings or 
recommendations are either invalid or do not warrant action. 

* Management considers consultations with auditors (such as GAO, the 
Inspector General, and other external auditors), and reviewers when 
they are believed to be helpful in the audit resolution process. 

2. Agency management is responsive to the findings and recommendations 
of audits and other reviews aimed at strengthening internal control. 
Consider the following: 

* Executives with the proper authority evaluate the findings and 
recommendations and decide upon the appropriate actions to take to 
correct or improve control. 

* Desired internal control actions are followed up on to verify 
implementation. 

3. The agency takes appropriate follow-up actions with regard to 
findings and recommendations of audits and other reviews. Consider the 
following: 

* Problems with particular transactions or events are corrected 
promptly. 

* The underlying causes giving rise to the findings or recommendations 
are investigated by management. 

* Actions are decided upon to correct the situation or take advantage 
of the opportunity for improvements. 

* Management and auditors follow up on audit and review findings, 
recommendations, and the actions decided upon to ensure that those 
actions are taken. 

* Top management is kept informed through periodic reports on the 
status of audit and review resolution so that it can ensure the 
quality and timeliness of individual resolution decisions. 

Monitoring Summary Section: Provide General Conclusions and Actions 
Needed Here: 

[End of section] 

Overall Internal Control Summary:  

Control Environment: 

Management and employees have a positive and supportive attitude 
toward internal control and conscientious management. Management 
conveys the message that integrity and ethical values must not be 
compromised. The agency demonstrates a commitment to the competence of 
its personnel and employs good human capital policies and practices. 
Management has a philosophy and operating style that is appropriate to 
the development and maintenance of effective internal control. 
The agency's organizational structure and the way in which it assigns 
authority and responsibility contribute to effective internal control. 
The agency has a good working relationship with Congress and oversight 
groups.  

Risk Assessment: 

The agency has established clear and consistent entitywide objectives 
and supporting activity-level objectives. Management has made a 
thorough identification of risks, from both internal and external 
sources, that may affect the ability of the agency to meet those 
objectives. An analysis of those risks has been performed, and the 
agency has developed an appropriate approach for risk management. In 
addition, mechanisms are in place to identify changes that may affect 
the agency's ability to achieve its missions, goals, and objectives.  

Control Activities:  

Appropriate policies, procedures, techniques, and control mechanisms 
have been developed and are in place to ensure adherence to 
established directives. Proper control activities have been developed 
for each of the agency's activities. The control activities identified 
as necessary are actually being applied properly.  

Information and Communications: 

Information systems are in place to identify and record pertinent 
operational and financial information relating to internal and 
external events. That information is communicated to management and 
others within the agency who need it and in a form that enables them 
to carry out their duties and responsibilities efficiently and 
effectively. Management ensures that effective internal communications 
take place. It also ensures that effective external communications 
occur with groups that can affect the achievement of the agency's 
missions, goals, and objectives. The agency employs various forms of 
communications appropriate to its needs and manages, develops, and 
revises its information systems in a continual effort to improve 
communications. 

Monitoring: 

Agency internal control monitoring assesses the quality of performance 
over time. It does this by putting procedures in place to monitor 
internal control on an ongoing basis as a part of the process of 
carrying out its regular activities. It includes ensuring that 
managers know their responsibilities for internal control and control
monitoring. In addition, separate evaluations of internal control are 
periodically performed and the deficiencies found are investigated. 
Procedures are in place to ensure that the findings of all audits and 
other reviews are promptly evaluated, decisions are made about the 
appropriate response, and actions are taken to correct or otherwise 
resolve the issues promptly. 

[End of section] 

Related Products: 

These related products address three main categories: internal 
control, financial management systems, and financial reporting 
(accounting standards). We have developed these guidelines and tools 
to assist agencies in improving or maintaining effective operations 
and financial management. 

Internal Control: 

Standards for Internal Control in the Federal Government, GAO/AIMD-00-
21.3.1, November 1999.  

Streamlining the Payment Process While Maintaining Effective Internal
Control, GAO/AIMD-00-21.3.2, May 2000. 

Determining Performance and Accountability Challenges and High
Risks, GAO-01-159SP, November 2000. 

Financial Management Systems: 

Framework for Federal Financial Management System Checklist, GAO/AIMD-
98-21.2.1, May 1998. 

Inventory System Checklist, GAO/AIMD-98-21.2.4, May 1998. 

System Requirements for Managerial Cost Accounting Checklist, GAO/AIMD-
99-21.2.9, January 1999.  

Core Financial System Requirements Checklist, GAO/AIMD-00-21.2.2, 
February 2000. 

Human Resources and Payroll Systems Requirements Checklist, GAO/AIMD-
00-21.2.3, March 2000.   

Direct Loan System Requirements Checklist, GAO/AIMD-00-21.2.6, April 
2000. 

Travel System Requirements Checklist, GAO/AIMD-00-21.2.8, May 2000.  

Seized Property and Forfeited Assets Requirements Checklist, GAO-01-
99G, October 2000. 

Guaranteed Loan System Requirements Checklist, GAO-01-371G, March 2001. 

Financial Reporting (Accounting Standards): 
"Checklist for Reports Prepared Under the CFO Act," (Section 1004 of the
GAO/PCIE Financial Audit Manual (FAM), July 2001). This is a checklist 
containing agency financial statement reporting requirements. 

These documents are available on the Internet on GAO's home page 
(www.gao.gov) under the heading "Other Publications" and the 
subheading "Accounting and Financial Management." They can also be 
obtained from GAO, 700 4th Street NW, Room 1100, Washington DC 20548, 
or by calling (202) 512-6000 or TDD (202) 512-2537. 

[End of section] 

Ordering Information: 

The first copy of each GAO report is free. Additional copies of 
reports are $2 each. A check or money order should be made out to the 
Superintendent of Documents. VISA and MasterCard credit cards are 
accepted, also. 

Orders for 100 or more copies to be mailed to a single address are 
discounted 25 percent. 

Orders by mail: 

U.S. General Accounting Office: 
P.O. Box 37050: 
Washington, DC 20013: 

Orders by visiting: 
Room 1100: 
700 4th St. NW (corner of 4th and G Sts. NW):
U.S. General Accounting Office: 
Washington, DC: 

Orders by phone: 

(202) 512-6000: 
fax: (202) 512-6061: 
TDD (202) 512-2537: 

Each day, GAO issues a list of newly available reports and testimony. 
To receive facsimile copies of the daily list or any list from the 
past 30 days, please call (202) 512-6000 using a touchtone phone. A 
recorded menu will provide information on how to obtain these lists. 

Orders by Internet: 

For information on how to access GAO reports on the Internet, send an 
e-mail message with "info" in the body to: 

info@www.gao.gov: 

or visit GAO's World Wide Web home page at: 

http://www.gao.gov. 

To Report Fraud, Waste, or Abuse in Federal Programs: 

Contact one: 

* Web site: http://www.gao.gov/fraudnet/fraudnet.htm; 
* e-mail: fraudnet@gao.gov; 
* 1-800-424-5454 (automated answering system). 

[End of section] 
 
Footnotes: 

[1] OMB Circular A-123 uses the term "management control," whereas 
this document uses the term "internal control." GAO's internal control 
standards state that these terms are synonymous. 

[2] Executive branch employees are subject to standards and principles 
of ethical conduct in accordance with 5CFR2635 and Executive Orders 
12674 and 12731. 

[3] Specific subsidiary points to consider with regard to physical 
control over vulnerable assets are discussed under the section on 
"Control Activities," under "Common Categories of Control Activities," 
5th point. 

[4] Agencies may or may not have an internal audit function separate 
and apart from the Inspector General. 

[5] This point is closely related to the functions, points, and 
subsidiary points included in the "Monitoring" section. See that 
section for more specific information on monitoring and periodic 
evaluation of control activities. 

[6] For more detailed information about items to consider, see GAO 
publication Human Capital: A Self-Assessment Checklist for Agency 
Leaders (GAO/OGC-00-14G, September 2000, Version 1). 

[7] Further guidance on control activities for information processing 
is provided in the following section under "Control Activities 
Specific for Information Systems." In addition, see GAO's FISCAM and OMB
Circular A-130, Management of Federal Information Resources. 

[8] Critical infrastructure assets are those assets of physical and 
cyber-based systems that are essential to the minimum operations of 
the economy and government. In accordance with Presidential Decision 
Directive No. 63, dated May 22, 1998, each federal agency is 
responsible for identifying its own critical infrastructure and 
developing a protection plan for it. 

[9] Additional guidance on documentation of control activities for 
information processing is provided in the following section under 
"Control Activities Specific for Information Systems." In addition, 
see GAO's FISCAM and OMB Circular A-130, Management of Federal 
Information Resources. 

[10] This particular point and the related subsidiary points are not 
expected to be assessed by agency management or the agency Inspector 
General. However, their consideration may be useful in outside reviews 
or peer reviews. 

[11] Audit Resolution includes the resolution of findings and 
recommendations not just from formal audits, but also resulting from 
informal reviews, internal separate evaluations, management studies, 
and assessments made pursuant to the requirements of the Federal 
Managers' Financial Integrity Act (FMFIA) of 1982 and the Federal 
Financial Management Improvement Act (FFMIA) of 1996. 

[End of document]