Internal Control Management and Evaluation Tool: Exposure Draft
(Guidance, 02/01/2001, GAO/GAO-01-131G).

The Federal Managers' Financial Integrity Act of 1982 required that GAO
issue standards for internal control in the federal government, which it
did in 1983. Since then, changes in information technology, human
capital management issues, and financial management-related legislation
required that the internal control standards be reviewed. GAO revised
the standards and issued another internal control guide (see
GAO/AIMD-00-21.3.1, November 1999). These standards provide the overall
framework for establishing and maintaining internal control and for
identifying and addressing major performance challenges and areas at
greatest risk for fraud, waste, abuse, and mismanagement. GAO is issuing
this management and evaluation tool, which is basted on GAO's internal
control guide, to assist agencies in maintaining or implementing
effective internal control and, when needed, to help determine what,
where, and how improvements can be implemented. Although this tool is
not required to be used, it is intended to provide a systematic,
organized, and structured approach to assessing the internal control
structure.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  GAO-01-131G
     TITLE:  Internal Control Management and Evaluation Tool: Exposure
	     Draft
      DATE:  02/01/2001
   SUBJECT:  Internal controls
	     Standards evaluation
	     Auditing standards
	     Auditing procedures

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-01-131G

United States General Accounting Office Washington, DC 20548

February 2001 HEADS OF DEPARTMENTS AND AGENCIES The Federal Managers'
Financial Integrity Act of 1982 requires, among other things, that the
General Accounting Office (GAO) issue standards for internal control in the
federal government. GAO first issued the standards in 1983. They became
widely known throughout the government as the “Green Book.”
Since then, changes in information technology, emerging issues involving
human capital management, and requirements of recent financial management-
related legislation has prompted renewed focus on internal control.
Consequently, GAO revised the standards and reissued them as Standards for
Internal Control in the Federal Government (GAO/ AIMD- 00- 21. 3.1, November
1999). These standards provide the overall framework for establishing and
maintaining internal control and for identifying and addressing major
performance challenges and areas at greatest risk for fraud, waste, abuse,
and mismanagement.

We are issuing this Management and Evaluation Tool, which is based upon
GAO's Standards for Internal Control in the Federal Government, to assist
agencies in maintaining or implementing effective internal control and, when
needed, to help determine what, where, and how improvements can be
implemented. Although this tool is not required to be used, it is intended
to provide a systematic, organized, and structured approach to assessing the
internal control structure. This tool, GAO's Standards for Internal Control,
and the Office of Management and Budget Circular A- 123, Management
Accountability and Control (Revised June 21, 1995), should be used
concurrently. Judgment must be applied in the interpretation and application
of this tool to enable a user to consider the impact of the completed
document on the entire internal control structure.

To facilitate review, this Exposure Draft is located on the Internet on
GAO's Home Page (www. gao. gov) under “Other Publications.”
Additional copies can be obtained from the U. S. General Accounting Office,
Room 1100, 700 4th Street, NW, Washington, DC 20548, or by calling (202)
512- 6200, or TDD (202) 512- 2537. Please send comments by May 15, 2001, to
Bruce K. Michelson, Assistant Director, Financial Management and Assurance
Team, at the U. S. General Accounting Office, 441 G Street, NW, Room 5061,
Washington, DC 20548.

Jeffrey C. Steinhoff Managing Director Financial Management and Assurance

GAO United States General Accounting Office

Internal Control Standards

February 2001 Internal Control Management and Evaluation Tool

EXPOSURE DRAFT

GAO- 01- 131G

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01)

CONTENTS

Introduction 3 Control Environment 7 Risk Assessment 21 Control Activities
31 Information and Communications 49 Monitoring 57 Overall Summary 65
Related Products 67

Abbreviations

CFO Chief Financial Officer COSO Committee of Sponsoring Organizations of
the Treadway Commission FAM Financial Audit Manual FFMIA Federal Financial
Management Improvement Act of 1996 FISCAM Federal Information System
Controls Audit Manual FMFIA Federal Managers' Financial Integrity Act of
1982 GAO General Accounting Office GPRA Government Performance and Results
Act of 1993 OMB Office of Management and Budget

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 2

(BLANK)

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 3

INTRODUCTION

As federal managers strive to achieve their agency's missions and goals and
provide accountability for their operations, they need to continually assess
and evaluate their internal control structure to assure that it is well
designed and operated, appropriately updated to meet changing conditions,
and provides reasonable assurance that the objectives of the agency are
being achieved. Specifically, managers need to examine internal control to
determine how well it is performing, how it may be improved, and the degree
to which it helps identify and address major risks for fraud, waste, abuse,
and mismanagement.

This document is an Internal Control Management and Evaluation Tool.
Although this tool is not required to be used, it is intended to help
management and evaluators determine how well an agency's internal control is
designed and functioning and help determine what, where, and how
improvements, when needed, may be implemented.

This tool is based upon the guidance provided in GAO's Standards for
Internal Control in the Federal Government (GAO/AIMD-00-21.3.1, issued
November 1999). That document provides context for the use and application
of this tool. Consequently, users of this tool should be familiar with the
standards provided in that document. In addition, users should be
experienced staff who are familiar with internal control terminology, the
use of control activities and techniques, and the overall application of
internal control requirements.

The tool is presented in five sections corresponding to the five standards
for internal control: control environment, risk assessment, control
activities, information and communications, and monitoring. Each section
contains a list of major factors to be considered when reviewing internal
control as it relates to the particular standard. These factors represent
some of the more important issues addressed by the standard. Included under
each factor are points and subsidiary points that users should consider when
addressing the factor. The points and subsidiary points are intended to help
users consider specific items that indicate the degree to which internal
control is functioning. Users should apply informed judgment when
considering the specific points and subsidiary points to determine (1) the
applicability of the point to the circumstances, (2) whether the agency has
actually been able to implement, perform, or apply the point, (3) any
control weaknesses that may actually result, and (4) the extent to which the
point impacts on the agency's ability to achieve its mission and goals.

Space is provided beside each point and subsidiary point for the user to
note comments or provide descriptions of the circumstances affecting the
issue. Comments and descriptions usually will not be of the
“yes/no” type, but will generally include information on how the
agency does or does not address the issue. This tool is intended to help
users reach a conclusion about the agency's internal control as it pertains
to the particular standard. In this regard, a space is provided at the end
of each section for the user to note the general overall assessment and to
identify actions that might need to be taken or considered. Additional space
is provided for an overall summary assessment at the end of the tool.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 4

This tool could be useful in assessing internal control as it relates to the
achievement of the objectives in any of the three major control categories,
i.e. effectiveness and efficiency of operations, reliability of financial
reporting, and compliance with laws and regulations. It may also be useful
with respect to the subset objective of safeguarding assets from fraud,
waste, abuse, or misuse. In addition, the tool may be used when considering
internal control as it relates to any of the various activities of an
agency, such as administration, human capital management, financial
management, acquisition and procurement, provision of goods or services,
etc.

Furthermore, the tool may be helpful in meeting the reporting requirements
of the Federal Managers' Financial Integrity Act (FMFIA) of 1982. The FMFIA
requires annual reporting on agency internal control. The Act directs the
head of each executive agency to provide an annual statement as to whether
the agency's internal control complies with the prescribed standards.
Essentially, this requires the report to make a declaration as to the
effectiveness of the internal control. If the internal control does not
comply with such requirements, the report is to identify material weaknesses
and the plans and schedule for correcting those weaknesses. Office of
Management and Budget (OMB) Circular A-123, Management Accountability and
Control,

revised June 21, 1995, provides agencies guidance on how to satisfy the
FMFIA reporting requirements. 1

It should be understood that this tool is not an authoritative part of the
Standards for Internal Control. Rather, it is intended as a supplemental
guide that federal managers and evaluators may use in assessing the
effectiveness of internal control and identifying important aspects of
control in need of improvement. Users should keep in mind that this tool is
a starting point and that it can and should be modified to fit the
circumstances, conditions, and risks relevant to the situation of the
agency. Not all of the points or subsidiary points need to be considered for
every agency or activity. Users should consider the relevant points and
subsidiary points and delete or add others as appropriate to their
particular entity or circumstances. In addition, users should note that this
document follows the format of the Standards for Internal Control. Users may
rearrange or reorganize the points and subsidiary points to fit their
particular needs or desires.

It should be further noted that this tool is not the only resource available
for assessing internal control. It should be used in conjunction with other
resources such as the guidance provided in OMB Circular A-123, Management
Accountability and Control, revised June 21, 1995. Financial statement
auditors should follow GAO's Financial Audit Manual (FAM),
(GAO/AFMD-12.19.5A/B, December 1997), as amended. The FAM provides the
process and methodology the auditor is to follow when reviewing internal
control in financial audits. The financial auditor considers internal
control primarily as it relates to financial reporting and compliance with
laws and regulations. Relating to internal control, the FAM focuses on the
auditor's identification and assessment of risk as it relates to the
financial statement audit objectives. On the other hand, this tool discusses
internal control from a broader, overall entity perspective based on the
internal control standards and focusing on management's operational and
program objectives. Although the focus of each document is different, they
are complementary.

1 OMB Circular A- 123 uses the term “management control,”
whereas this document uses the term “internal

control.” GAO's Internal Control Standards state that these terms are
synonymous.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 5

This Management and Evaluation Tool was developed using many different
sources of information and ideas. The primary source was, of course, GAO's
Standards for Internal Control in the Federal Government. Additional
guidance was obtained from the “Evaluation Tools” Section of
Internal Control – Integrated Framework, by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO), issued in
September 1992. Consideration was given to the requirements of pertinent
legislation including the Federal Managers' Financial Integrity Act (FMFIA)
of 1982, the Chief Financial Officers Act of 1990, the Government
Performance and Results Act (GPRA) of 1993, and the Federal Financial
Management Improvement Act (FFMIA) of 1996. Further guidance was developed
using prior GAO publications including HUMAN CAPITAL: A Self-Assessment
Checklist for Agency Leaders, Discussion Draft (GAO/GGD-99-179, September
1999) and the Federal Information System Controls Audit Manual (FISCAM)
(GAO/AIMD-12.19.6, January 1999). Finally, essential material was also
developed based on the many years of experience of many GAO evaluators and
analysts in reviewing and assessing federal agency internal control.

This publication is one in a series of documents issued by GAO to assist
agencies in improving or maintaining effective operations. See the last page
of this document for a listing of related products.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 6

(BLANK)

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 7

CONTROL ENVIRONMENT

According to the first internal control standard, which relates to control
environment, management and employees should establish and maintain an
environment throughout the organization that sets a positive and supportive
attitude toward internal control and conscientious management. There are
several key factors that affect the accomplishment of this goal. Management
and evaluators should consider each of these control environment factors
when determining whether a positive control environment has been achieved.
The factors that should be focused on are listed below. The list is a
beginning point. It is not all-inclusive and not every item will apply to
every agency or activity within the agency. Even though some of the
functions are subjective in nature and require the use of judgment, they are
important in achieving control environment effectiveness.

Integrity and Ethical Values Comments/Descriptions 1. The agency has
established and uses formal codes of

conduct and other policies communicating appropriate ethical and moral
behavioral standards and addressing acceptable operational practices and
conflicts of interest. Consider the following:

The codes are comprehensive in nature and directly address issues such as
improper payments, appropriate use of resources, conflicts of interest,
political activities of employees, acceptance of gifts or foreign
decorations, technical proficiency and continuing education, and use of due
professional care.

The codes are periodically acknowledged by signature from all employees.

Employees indicate that they know what kind of behavior is acceptable and
unacceptable, know what penalties unacceptable behavior may bring, and what
to do if they become aware of unacceptable behavior.

2. An ethical tone has been established at the top of the organization and
has been communicated throughout the agency. Consider the following:

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 8

Integrity and Ethical Values Comments/Descriptions

Management fosters and encourages an agency culture that emphasizes the
importance of integrity and ethical values. This might be achieved through
oral communications in meetings, via one-on-one discussions, and by example
in day-to-day activities.

Employees indicate that peer pressure exists for appropriate moral and
ethical behavior.

Management takes quick and appropriate action as soon as there are any signs
that a problem may exist.

3. Dealings with employees, suppliers, insurers, auditors, Congress, the
public, and others are conducted on a high ethical plane. Consider the
following:

Financial, budgetary, and operational reports to Congress and the public are
proper and accurate (not intentionally misleading).

Management cooperates with auditors and other evaluators, does not attempt
to hide known problems from them, and values their comments and
recommendations.

Underbillings by suppliers or overpayments by users or customers are quickly
corrected.

The agency has a well-defined and understood process for dealing with
employee claims and concerns in a timely and appropriate manner and no
effort is made to reject such claims.

4. Appropriate disciplinary action is taken in response to departures from
approved policies and procedures or violations of the code of conduct.
Consider the following:

Management takes action when there are violations of policies, procedures,
or the code of conduct.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 9

Integrity and Ethical Values Comments/Descriptions

The types of disciplinary actions that can be taken are widely communicated
throughout the agency so that others know that if they behave improperly,
they will face similar consequences.

5. Management appropriately addresses intervention or overriding internal
control. Consider the following:

Guidance exists concerning the circumstances and frequency with which
intervention may be needed.

Any intervention or overriding of internal control is fully documented as to
reasons/specific actions taken.

Overriding of internal control by low-level management personnel is
prohibited when applicable.

6. Management removes temptation for unethical behavior. Consider the
following:

Management does not pressure employees to meet unrealistic performance
goals.

Management does not provide extreme incentives or other unfair or
unnecessary temptations that test integrity or adherence to ethical values.

Compensation and promotion are based on achievements and performance.

Commitment to Competence Comments/Descriptions 1. Management has identified
and defined the tasks

required to accomplish particular jobs and fill the various positions.
Consider the following:

Management has analyzed the tasks that need to be performed for particular
jobs and given consideration to such things as the level of judgment
required and the extent of supervision necessary.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 10

Commitment to Competence Comments/Descriptions

Formal job descriptions or other means of identifying and defining specific
tasks required for job positions have been established.

2. The agency has performed analyses of the knowledge, skills, and abilities
needed to perform jobs in an appropriate manner. Consider the following:

The knowledge, skills, and abilities needed for various jobs have been
identified and made known to employees.

Evidence exists that the agency attempts to make sure that employees
selected for various positions have the requisite knowledge, skills, and
abilities.

3. The agency provides training and counseling in order to help employees
maintain and improve their competence for the job. Consider the following:

There is an appropriate training program to meet the needs of all employees.

The agency emphasizes the need for continuing training and has a control
mechanism to help ensure that all employees actually received appropriate
training.

Performance appraisals are based on an assessment of critical job factors
and clearly identify areas in which the employee is performing well and
areas that need improvement.

Employees are provided candid and constructive job performance counseling.

4. Key senior-level employees have a demonstrated ability in general
management and extensive practical experience in operating governmental or
business entities.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 11

Management's Philosophy and Operating Style Comments/Descriptions 1.
Management has an appropriate attitude toward risk-

taking, and proceeds with new ventures, missions, or operations only after
carefully analyzing the risks involved and determining how they may be
minimized or mitigated.

2. Management enthusiastically endorses the use of performance-based
management.

3. There has not been excessive personnel turnover in key functions such as
operations and program management, accounting, or internal audit that would
indicate a problem with the agency's emphasis on internal control. Consider
the following:

There has not been excessive turnover of supervisory personnel related to
internal control problems, and there is a strategy for dealing with turnover
related to constraints and limitations such as salary caps.

Key personnel have not quit unexpectedly. There is no pattern to personnel
turnover that would

indicate a problem with the emphasis that management places in internal
control.

4. Management has a positive and supportive attitude toward the functions of
accounting, information management systems, personnel operations,
monitoring, and internal and external audits and evaluations. Consider the
following:

The financial accounting and budgeting operations are considered essential
to the well-being of the organization and viewed as methods for exercising
control over the entity's various activities.

Management regularly relies on accounting/financial data from its systems
for decision-making purposes and performance evaluation.

If the accounting operation is decentralized, unit accounting personnel also
have responsibility to central financial officers.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 12

Management's Philosophy and Operating Style Comments/Descriptions

Both the financial accounting and budgeting operations are under the
direction of the Chief Financial Officer (CFO) and strong synchronization
and coordination exists between budgetary and proprietary financial
accounting activities.

Management looks to the information management function for critical
operating data and supports efforts to make improvements in the systems as
technology advances.

Personnel operations have a high priority and senior executives emphasize
the importance of good human capital management.

Management places a high degree of importance on the work of the Inspector
General, external audits, and other evaluations and studies and is
responsive to information developed through such products.

5. Valuable assets and information are safeguarded from unauthorized access
or use.

6. There is frequent interaction between senior management and
operating/program management, especially when operating from geographically
dispersed locations.

7. Management has an appropriate attitude toward financial, budgetary, and
operational/programatic reporting. Consider the following:

Management is informed and involved in critical financial reporting issues
and supports a conservative approach toward the application of accounting
principles and estimates.

Management supports the disclosure of all financial, budgetary, and
programmatic information needed to fully understand the operations and
financial condition of the agency.

Management avoids focus on short-term reported results.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 13

Management's Philosophy and Operating Style Comments/Descriptions

Personnel do not submit inappropriate or inaccurate reports in order to meet
targets.

Facts are not exaggerated and budgetary estimates are not stretched to a
point of unreasonableness.

Organizational Structure Comments/Descriptions 1. The agency's
organizational structure is appropriate

for its size and the nature of its operations. Consider the following:

The organizational structure facilitates the flow of information throughout
the agency.

The organizational structure is appropriately centralized or decentralized,
given the nature of its operations, and management has clearly articulated
the considerations and factors taken into account in balancing the degree of
centralization versus decentralization.

2. Key areas of authority and responsibility are defined and communicated
throughout the organization. Consider the following:

Executives in charge of major activities or functions are fully aware of
their duties and responsibilities.

An accurate organizational chart showing key areas of responsibility is
provided to all employees.

Executives and key managers understand their internal control
responsibilities and ensure that their staff also understand their own
responsibilities.

3. Appropriate and clear internal reporting relationships have been
established. Consider the following:

Reporting relationships have been established and effectively provide
managers information they need to carry out their responsibilities and
perform their jobs.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 14

Organizational Structure Comments/Descriptions

Employees are aware of the established reporting relationships.

Mid-level managers can easily communicate with senior operating executives.

4. Management periodically evaluates the organizational structure and makes
changes as necessary in response to changing conditions.

5. The agency has the appropriate numbers of employees, particularly in
managerial positions. Consider the following:

Managers and supervisors have time to carry out their duties and
responsibilities.

Employees do not have to work excessive overtime or outside the ordinary
workweek to complete assigned tasks.

Managers and supervisors are not fulfilling the roles of more than one
employee.

Assignment of Authority and Responsibility Comments/Descriptions 1. The
agency appropriately assigns authority and

delegates responsibility to the proper personnel to deal with organizational
goals and objectives. Consider the following:

Authority and responsibility are clearly assigned throughout the
organization and this is clearly communicated to all employees.

Responsibility for decision-making is clearly linked to the assignment of
authority and responsibility, and individuals are held accountable
accordingly.

Along with increased delegation of authority and responsibility, management
has effective procedures to monitor results.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 15

Assignment of Authority and Responsibility Comments/Descriptions 2. Each
employee knows how his or her actions

interrelate to others considering the way in which authority and
responsibilities are assigned, and employees are aware of their related
duties concerning internal control. Consider the following:

Job descriptions clearly indicate the degree of authority and accountability
delegated to each position and the responsibilities assigned.

Job descriptions and performance evaluations contain specific references to
internal control related duties, responsibilities, and accountability.

3. The delegation of authority is appropriate in relation to the assignment
of responsibility. Consider the following:

Employees at the appropriate levels are empowered to correct problems or
implement improvements.

There is an appropriate balance between the delegation of authority at lower
levels to “get the job done” and the involvement of senior-level
personnel.

Human Resource Policies and Practices Comments/Descriptions 1. Policies and
procedures are in place for hiring,

orienting, training, evaluating, counseling, promoting, compensating,
disciplining, and terminating employees. Consider the following:

Management communicates information to recruiters about the type of
competencies needed for the work or participates in the hiring process.

The agency has standards or criteria for hiring qualified people, with
emphasis on education, experience, accomplishment, and ethical behavior.

A training program has been established and includes orientation programs
for new employees and ongoing training for all employees.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 16

Human Resource Policies and Practices Comments/Descriptions

Promotion, compensation, and rotation of employees are based on periodic
performance appraisals.

Performance appraisals are linked to the goals and objectives included in
the agency's strategic plan.

The importance of integrity and ethical values are reflected in performance
appraisal criteria.

Employees are provided with appropriate feedback and counseling on their job
performance and suggestions for improvements.

Disciplinary or remedial action is taken in response to violations of
policies or ethical standards.

Employment is terminated, following established policies, when performance
is consistently below standards or there are significant and serious
violations of policy.

Management has established criteria for employee retention and considers the
effect upon operations if large numbers of employees are expected to leave
or retire in a given time period.

2. Background checks are conducted on candidates for employment. Consider
the following:

Candidates who change jobs often are given particularly close attention.

Hiring standards require investigations for criminal records for all
potential employees.

References and previous employers are contacted. Educational and
professional certifications are

confirmed.

3. Employees are provided a proper amount of supervision. Consider the
following:

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 17

Human Resource Policies and Practices Comments/Descriptions

Employees receive guidance, review, and on-the-job training from supervisors
to help ensure proper work flow and processing of transactions and events,
reduce misunderstandings, and discourage wrongful acts.

Supervisory personnel ensure that staff are aware of their duties and
responsibilities and management's expectations of them.

Oversight Groups Comments/Descriptions 1. Within the agency, there are
mechanisms in place to

monitor and review operations and programs. Consider the following:

An Inspector General, who is independent from management, audits and reviews
agency activities.

The agency has an audit committee or senior management council consisting of
high-level line and staff executives that review the internal audit work and
coordinate closely with the Inspector General and external auditors.

If there is an internal audit operation it reports to the agency head. 2

The internal audit function reviews that agency's activities and systems and
provides information, analyses, appraisals, recommendations, and counsel to
management.

2. The agency works closely with executive branch oversight organizations.
Consider the following:

The agency has a good working relationship with OMB and agency officials,
including the Chief Financial Officer, meet regularly with OMB officials to
discuss areas such as financial and budgetary reporting, internal control,
and management's performance.

2 Agencies may or may not have an internal audit function separate and apart
from the Inspector General.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 18

Oversight Groups Comments/Descriptions

High-level agency personnel maintain good working relationships with other
executive branch agencies that exercise multi-agency control
responsibilities, such as the Department of the Treasury, the General
Services Administration, and the Office of Personnel Management.

3. The agency maintains a close relationship with Congress in general and
oversight committees in particular. Consider the following:

The agency provides Congress and oversight committees with timely and
accurate information to allow monitoring of agency activities, including
review of the agency's (1) mission and goals, (2) performance reporting, and
(3) financial position and operating results.

High-level agency officials meet regularly with congressional and GAO staff
to discuss major issues affecting operations, internal control, performance,
and other major agency activities and programs.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 19

Control Environment Summary Section Provide General Conclusions and Actions
Needed Here:

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 20

(BLANK)

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 21

RISK ASSESSMENT

The second internal control standard addresses risk assessment. A
precondition to risk assessment is the establishment of clear, consistent
agency goals and objectives at both the entity level and at the activity
(program or mission) level. Once the objectives have been set, the agency
needs to identify the risks that could impede the efficient and effective
achievement of those objectives at the entity level and the activity level.
Internal control should provide for an assessment of the risks the agency
faces from both internal and external sources. Once risks have been
identified, they should be analyzed for their possible effect. Management
then has to formulate an approach for risk management and decide upon the
internal control activities required to mitigate those risks and achieve the
internal control objectives of efficient and effective operations, reliable
financial reporting, and compliance with laws and regulations. A manager or
evaluator will focus on management's processes for objective setting, risk
identification, risk analysis, and management of risk during times of
change. Listed below are factors a user might consider. The list is a
beginning point. It is not all-inclusive nor will every item apply to every
agency or activity within the agency. Even though some of the functions and
points may be subjective in nature and require the use of judgment, they are
important in performing risk assessment.

Establishment of Entitywide Objectives Comments/Descriptions 1. The agency
has established entitywide objectives that

provide sufficiently broad statements and guidance about what the agency is
supposed to achieve, yet are specific enough to relate directly to the
agency. Consider the following:

Management has established overall entitywide objectives in the form of
mission, goals, and objectives, such as those defined in strategic and
annual performance plans developed under the GPRA.

The entitywide objectives relate to and stem from program requirements
established by legislation.

The entitywide objectives are specific enough to clearly apply to the agency
instead of applying to all agencies.

2. Entitywide objectives are clearly communicated to all employees, and
management obtains feedback signifying that the communication has been
effective.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 22

Establishment of Entitywide Objectives Comments/Descriptions 3. There is a
relationship and consistency between the

agency's operational strategies and the entitywide objectives. Consider the
following:

Strategic plans support the entitywide objectives. Strategic plans address
resource allocations and

priorities. Strategic plans and budgets are designed with an

appropriate level of detail for various management levels.

Assumptions made in strategic plans and budgets are consistent with the
agency's historical experience and current circumstances.

4. The agency has established an integrated management strategy and risk
assessment plan that considers the entitywide objectives and relevant
sources of risk from internal management factors and external sources and
establishes a control structure to address those risks.

Establishment of Activity-Level Objectives Comments/Descriptions 1.
Activity-level (program or mission-level) objectives

flow from and are linked with the agency's entitywide objectives and
strategic plans. Consider the following:

All significant activities are adequately linked to the entitywide
objectives and strategic plans.

Activity-level objectives are reviewed periodically to assure that they have
continued relevance.

2. Activity-level objectives are complementary, reinforce each other and are
not contradictory.

3. The activity-level objectives are relevant to all significant agency
processes. Consider the following:

Objectives have been established for all the key operational activities and
the support activities.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 23

Establishment of Activity-Level Objectives Comments/Descriptions

Activity-level objectives are consistent with effective past practices and
performance and are consistent with any industry or business norms that may
be applicable to the operations of the agency.

4. Activity-level objectives include measurement criteria. 5. Agency
resources are adequate relative to the activity-

level objectives. Consider the following:

The resources needed to meet the objectives have been identified.

If adequate resources are not available, management has plans to acquire
them.

6. Management has identified those activity-level objectives that are
critical to the success of the overall entitywide objectives. Consider the
following:

Management has identified the things that must occur or happen if the
entitywide objectives are to be met.

The critical activity-level objectives receive particular attention and
review from management and their performance is monitored regularly.

7. All levels of management are involved in establishing the activity-level
objectives and are committed to their achievement.

Risk Identification Comments/Descriptions 1. Management comprehensively
identifies risk using

various methodologies as appropriate. Consider the following:

Qualitative and quantitative methods are used to identify risk and determine
relative risk rankings on a scheduled and periodic basis.

How risk is to be identified, ranked, analyzed, and mitigated is
communicated to appropriate staff.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 24

Risk Identification Comments/Descriptions

Risk identification and discussion occur in senior- level management
conferences.

Risk identification takes place as a part of short and long-term forecasting
and strategic planning.

Risk identification occurs as a result of consideration of findings from
audits, evaluations, and other assessments.

2. Adequate mechanisms exist to identify risks to the agency arising from
external factors. Consider the following:

The agency considers the risks associated with technological advancements
and developments.

Consideration is given to risks arising from the changing needs or
expectations of Congress, agency officials, and the public.

Risks posed by new legislation or regulations are identified.

Risks to the agency as a result of possible natural catastrophes are taken
into account.

Identification of risks resulting from business, political, and economic
changes are determined.

Consideration is given to the risks associated with major suppliers and
contractors.

The agency carefully considers any risks resulting from its interactions
with various other entities and outside parties.

3. Adequate mechanisms exist to identify risks to the agency arising from
internal factors. Consider the following:

Risks resulting from downsizing of agency operations and personnel are
considered.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 25

Risk Identification Comments/Descriptions

The agency identifies risks associated with reengineering of operating
processes.

Consideration is given to risks posed by disruption of information systems
processing and the extent to which backup systems are available and can be
implemented.

The agency identifies any potential risks due to highly decentralized
program operations.

Consideration is given to possible risks resulting from the lack of
qualifications of personnel hired or the extent to which they have been
trained.

Risks resulting from heavy reliance on contractors or other related parties
to perform critical agency operations are identified.

The agency identifies any risks that might be associated with major changes
in managerial responsibilities.

Risks resulting from unusual employee access to vulnerable assets are
considered.

Risk identification activities consider certain human capital related risks,
such as the ability to provide succession planning and retain key management
personnel who can affect the ability of the agency to function effectively,
and the adequacy of compensation and benefit programs to keep the agency
competitive with the private sector for labor.

Risks related to the availability of future funding for new programs or the
continuation of current programs are assessed.

4. In identifying risk, management assesses other factors that may
contribute to or increase the risk to which the agency is exposed. Consider
the following:

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 26

Risk Identification Comments/Descriptions

Management considers any risks related to past failures to meet agency
missions, goals, or objectives or failures to meet budget limitations.

Consideration is given to risks indicated by a history of improper program
expenditures, violations of funds control, or other statutory noncompliance.

The agency identifies any risks inherent to the nature of its mission or to
the significance and complexity of any specific programs or activities it
undertakes.

5. Management identifies risks both entitywide and for each significant
activity-level of the agency.

Risk Analysis Comments/Descriptions 1. After the risks to the agency have
been identified,

management undertakes a thorough and complete analysis of their possible
effect. Consider the following:

Management has established a formal process to analyze risks or the analysis
is done informally via day-to-day management activities.

Criteria has been established for determining low, medium, and high risks.

Appropriate levels of management and employees are involved in the risk
analysis.

The risks identified and analyzed are relevant to the corresponding activity
objective.

Risk analysis includes estimating the risk's significance.

Risk analysis includes estimating the likelihood and frequency of occurrence
of each risk and determining whether it falls into the low, medium, or high
risk category.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 27

Risk Analysis Comments/Descriptions

A determination is made on how best to manage or mitigate the risk and what
specific actions should be taken.

2. Management has developed an approach for risk management and control
based on how much risk can be prudently accepted. Consider the following:

The approach can vary from one agency to another depending upon variances in
risks and how much risk can be tolerated, but seems appropriate to the
agency.

The approach is designed to keep risks within levels judged to be
appropriate and management takes responsibility for setting the tolerable
risk level.

Specific control activities are decided upon to manage or mitigate specific
risks entitywide and at each activity level, and their implementation is
monitored.

Managing Risk During Change Comments/Descriptions 1. The agency has
mechanisms in place to anticipate,

identify, and react to risks presented by changes in governmental, economic,
industry, regulatory, operating, or other conditions that can affect the
achievement of entitywide or activity-level goals and objectives. Consider
the following:

All activities within the agency that might be significantly affected by
changes are considered in the process.

Routine changes are addressed through the established risk identification
and analysis processes.

Risks resulting from conditions that are significantly changing are
addressed at sufficiently high levels within the agency so that their full
impact on the organization is considered and appropriate actions are taken.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 28

Managing Risk During Change Comments/Descriptions 2. The agency gives
special attention to risks presented by

changes that can have a more dramatic and pervasive effect on the entity and
may demand the attention of senior officials. Consider the following:

The agency is especially attentive to risks caused by the hiring of new
personnel to occupy key positions or by high personnel turnover in any
particular area.

Mechanisms exist to assess the risks posed by the introduction of new or
changed information systems and risks involved in training employees to use
the new systems and to accept the changes.

Management gives special consideration to the risks presented by rapid
growth and expansion or rapid downsizing and the effects on systems
capabilities and revised strategic plans, goals, and objectives.

Consideration is given to the risks involved when introducing major new
technological developments and applications and incorporating them into the
operating processes.

The risks are extensively analyzed whenever the agency begins the production
or provision of new outputs or services.

Risks resulting from the establishment of operations in a new geographical
area are assessed.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 29

Risk Assessment Summary Section Provide General Conclusions and Actions
Needed Here:

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 30

(BLANK)

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 31

CONTROL ACTIVITIES

The third internal control standard addresses control activities. Internal
control activities are the policies, procedures, techniques, and mechanisms
that help ensure that management's directives to mitigate risks identified
during the risk assessment process are carried out. Control activities are
an integral part of the agency's planning, implementing, and reviewing. They
are essential for proper stewardship and accountability for government
resources and for achieving effective and efficient program results.

Control activities occur at all levels and functions of the agency. They
include a wide range of diverse activities, such as approvals,
authorizations, verifications, reconciliations, performance reviews,
security activities, and the production of records and documentation. A
manager or evaluator should focus on control activities in the context of
the agency's management directives to address risks associated with
established objectives for each significant activity (program or mission).
Therefore, a manager or evaluator will consider whether control activities
relate to the risk-assessment process and whether they are appropriate to
ensure that management's directives are carried out. In assessing the
adequacy of internal control activities, a reviewer should consider whether
the proper control activities have been established, whether they are
sufficient in number, and the degree to which those activities are operating
effectively. This should be done for each significant activity. This
analysis and evaluation should also include controls over computerized
information systems. A manager or evaluator should consider not only whether
established control activities are relevant to the risk-assessment process,
but also whether they are being applied properly.

The control activities put into place in a given agency may vary
considerably from those used in a different agency. This difference may
occur because of the (1) variations in missions, goals, and objectives of
the agencies; (2) differences in their environment and manner in which they
operate; (3) variations in degree of organizational complexity; (4)
differences in agency histories and culture; and (5) differences in the
risks that the agencies face and are trying to mitigate. It is probable
that, even if two agencies did have the same missions, goals, objectives,
and organizational structures, they would employ different control
activities. This is because different people who apply their own individual
judgment in implementing internal control would manage them. All of these
factors affect an agency's internal control activities, which should be
designed accordingly to contribute to the achievement of the agency's
missions, goals, and objectives.

Given the wide variety of control activities that agencies may employ, it
would be impossible for this tool to address them all. However, there are
some general, overall points to be considered by managers and evaluators, as
well as several major categories or types of control activity factors that
are applicable at various levels throughout practically all federal
agencies. In addition, there are some control activity factors specifically
designed for information systems. These factors and related points and
subsidiary points are listed below as examples of issues to be considered.
They are meant to illustrate the range and variety of control activities
that are typically used. The list is a beginning point. It is not
all-inclusive, and not every point or subsidiary point may

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 32

apply to every agency or activity within the agency. Even though some of the
functions and points may be subjective in nature and require the use of
judgment, they are important in assessing the appropriateness of the
agency's internal control activities.

General Application Comments/Descriptions 1. Appropriate policies,
procedures, techniques, and

mechanisms exist with respect to each of the agency's activities. Consider
the following: 3

All relevant objectives and associated risks for each significant activity
have been identified in relation to the risk assessment and analysis
function of internal control.

Management has identified the actions and control activities needed to
address the risks and directed their implementation.

2. The control activities identified as necessary are in place and being
applied. Consider the following:

Control activities described in policy and procedures manuals are actually
applied and applied properly.

Supervisors and employees understand the purpose of internal control
activities.

Supervisory personnel review the functioning of control activities.

Timely action is take on exceptions, implementation problems, or information
that requires follow-up.

Common Categories of Control Activities Comments/Descriptions 1. Top-Level
Reviews – Management tracks major

agency achievements in relation to its plans. Consider the following:

3 In determining the adequacy of control activities and the relationship to
risk assessment processes, reviewers will need to exercise professional
judgment in considering the particular factors affecting control discussed
in the introductory material to this section as well as the risks common to
all types of government activities as addressed by the controls indicated in
the following material under “Common

Categories of Control Activities.”

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 33

Common Categories of Control Activities Comments/Descriptions

Top-level management regularly reviews actual performance against budgets,
forecasts, and prior period results.

Top management is involved in developing 5-year and annual performance plans
and targets in accordance with GPRA and measuring and reporting results
against those plans and targets.

Major agency initiatives are tracked for target achievement and follow-up
actions taken.

2. Management Reviews at the Functional or Activity Level – Agency
managers review actual performance against targets. Consider the following:

Managers at all activity levels review performance reports, analyze trends,
and measure results against targets.

Both financial and program managers review and compare financial, budgetary,
and operational performance to planned or expected results.

Appropriate control activities are employed, such as reconciliations of
summary information to supporting detail and checking the accuracy of
summarizations of operations.

3. Management of Human Capital – The agency effectively manages the
organization's workforce to achieve results. Consider the following: 4

There is a clear and coherent shared vision of the agency's mission, goals,
values, and strategies that is explicitly identified in the strategic plan,
annual performance plan, and other guiding documents, and that view has been
clearly and consistently communicated to all employees.

4 For more detailed information about items to look for and consider, see
GAO publication HUMAN CAPITAL: A Self- Assessment Checklist for Agency
Leaders, Discussion Draft (GAO/ GGD- 99- 179, September 1999).

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 34

Common Categories of Control Activities Comments/Descriptions

The agency has a coherent human capital strategy, as evidenced in its
strategic plan, performance plan, or separate human capital planning
document; and that strategy encompasses human capital policies, programs,
and practices to guide the agency.

The agency has a specific and explicit workforce planning strategy, linked
to the overall strategic plan, and that allows for identification of current
and future human capital needs.

The agency has defined the type of leaders it wants through written
descriptions of roles, responsibilities, attributes, and competencies and
has established broad performance expectations for them.

Senior leaders and managers attempt to build teamwork, reinforce the shared
vision of the agency, and encourage feedback from employees, as evidenced by
actions taken to communicate this to all employees and the existence of
opportunities for management to obtain feedback.

The agency's performance management system is given a high priority by
top-level officials, and it is designed to guide the workforce to achieve
the agency's shared vision/mission.

Procedures are in place to ensure that personnel with appropriate
competencies are recruited and retained for the work of the agency,
including a formal recruiting and hiring plan with explicit links to skill
needs the agency has identified.

Employees are provided orientation, training, and tools to perform their
duties and responsibilities, improve their performance, enhance their
capabilities, and meet the demands of changing organizational needs.

The compensation system is adequate to acquire, motivate, and retain
personnel, and incentives and rewards are provided to encourage personnel to
perform at maximum capability.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 35

Common Categories of Control Activities Comments/Descriptions

The agency provides workplace flexibilities, services, and facilities (e.g.,
career counseling, flextime, casual-dress days, and child-care) to help it
compete for talent and enhance employee satisfaction and commitment.

Qualified and continuous supervision is provided to ensure that internal
control objectives are being met.

Meaningful, honest, constructive performance evaluation and feedback are
provided to help employees understand the connection between their
performance and the achievement of the agency's goals.

Management conducts succession planning to ensure continuity of needed
skills and abilities.

4. Information Processing – The agency employs a variety of control
activities suited to information processing systems to ensure accuracy and
completeness. Consider the following: 5

Edit checks are used in controlling data entry. Accounting for transactions
is performed in numerical

sequences. File totals are compared with control accounts. Exceptions or
violations indicated by other control

activities are examined and acted upon. Access to data, files, and programs
are appropriately

controlled.

5. Physical Control Over Vulnerable Assets – The agency employs
physical control to secure and safeguard vulnerable assets. Consider the
following:

5 Further guidance on control activities for information processing is
provided below under “Control

Activities Specific for Information Systems.” In addition, see the GAO
FISCAM.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 36

Common Categories of Control Activities Comments/Descriptions

Physical safeguarding policies and procedures have been developed,
implemented, and communicated to all employees.

The agency has developed a disaster recovery plan, which is regularly
updated and communicated to employees.

The agency has developed a plan for the identification of and protection of
any critical infrastructure assets. 6

Assets that are particularly vulnerable to loss, theft, damage, or
unauthorized use, such as cash, securities, supplies, inventories, and
equipment, are physically secured and access to them controlled.

Assets such as cash, securities, supplies, inventories, and equipment are
periodically counted and compared to control records and exceptions
examined.

Cash and negotiable securities are maintained under lock and key and access
to them strictly controlled.

Forms such as blank checks and purchase orders are physically secured and
access to them controlled.

Mechanical check signers and signature plates are physically protected and
access to them strictly controlled.

Equipment vulnerable to theft is securely fastened or protected in some
other manner.

Identification plates and numbers are affixed to office furniture and
fixtures, equipment, and other portable assets.

6 Critical infrastructure assets are those assets of physical and cyber-
based systems that are essential to the minimum operations of the economy
and government. In accordance with the Presidential Decision Directive No.
63, dated May 22, 1998, each federal agency is responsible for identifying
its own critical infrastructure and developing a protection plan for it.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 37

Common Categories of Control Activities Comments/Descriptions

Inventories, supplies, and finished items/goods are stored in physically
secured areas and protected from damage.

Facilities are protected from fire by fire alarms and sprinkler systems.

Access to premises and facilities is controlled by fences, guards, and/or
other physical controls.

Access to facilities is restricted and controlled during nonworking hours.

6. Performance Measures and Indicators – The agency has established
and monitors performance measures and indicators. Consider the following:

Performance measures and indicators have been established throughout the
organization at the entitywide, activity, and individual level.

The agency periodically reviews and validates the propriety and integrity of
both organizational and individual performance measures and indicators.

Performance measurement assessment factors are evaluated to ensure that they
are linked to mission, goals, and objectives, and that they are balanced and
set the appropriate incentives for achieving goals while complying with law,
regulations, and ethical standards.

Actual performance data are continually compared and analyzed against
expected or planned goals.

Comparisons and assessments are made relating different sets of data to one
another so that analyses of the relationships can be made and corrective
actions can be taken if necessary.

Investigation of unexpected results or unusual trends leads to
identification of circumstances where achievement of goals and objectives
may be threatened and corrective action taken.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 38

Common Categories of Control Activities Comments/Descriptions

Analysis and review of performance measures and indicators are used for both
operational and financial reporting control purposes.

7. Segregation of Duties – Key duties and responsibilities are divided
or segregated among different people to reduce the risk of error, waste, or
fraud. Consider the following:

No one individual is allowed to control all key aspects of a transaction or
event.

Responsibilities and duties involving transactions and events are separated
among different employees with respect to authorization, approval,
processing and recording, making payments or receiving funds, review and
auditing, and the custodial functions and handling of related assets.

Duties are assigned systematically to a number of individuals to ensure that
effective checks and balances exist.

The responsibility for opening mail is assigned to individuals who have no
responsibilities for or access to files or documents pertaining to accounts
receivable or cash accounts.

Bank accounts are reconciled by employees who have no responsibilities for
cash receipts, disbursements, or custody.

Management is aware that collusion can reduce or destroy the control
effectiveness of segregation of duties and, therefore, is especially alert
for it and attempts to reduce the opportunities for it to occur.

8. Execution of Transactions and Events – Transactions and other
significant events are authorized and performed by the appropriate
personnel. Consider the following:

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 39

Common Categories of Control Activities Comments/Descriptions

Controls ensure that only valid transactions to exchange, transfer, use, or
commit resources and other events are initiated or entered into, in
accordance with management's decisions and directives and for specified
purposes under specific conditions.

Controls are established to ensure that all transactions and other
significant events that are entered into are authorized and executed only by
employees acting within the scope of their authority.

Authorizations are clearly communicated to managers and employees and
include the specific conditions and terms under which authorizations are to
be made.

The terms of authorizations are in accordance with directives and within
limitations established by law, regulation, and management.

9. Recording of Transactions and Events – Transactions and other
significant events are properly classified and promptly recorded. Consider
the following:

Transactions and events are appropriately classified and promptly recorded
so that they maintain their relevance, value, and usefulness to management
in controlling operations and making decisions.

Proper classification and recording take place throughout the entire life
cycle of each transaction or event including (1) initiation and
authorization, (2) all aspects of the transaction or event while in process,
and (3) the final classification in summary records.

Proper classification of transactions and events includes appropriate
organization and format of information on original documents (hardcopy paper
or electronic) and summary records from which reports and statements are
prepared.

Excessive adjustments to numbers or account classifications are not
necessary prior to finalization of financial reports.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 40

Common Categories of Control Activities Comments/Descriptions 10. Access
Restrictions to and Accountability for

Resources and Records – Access to resources and records is limited and
accountability for their custody is assigned. Consider the following:

The risk of unauthorized use or loss is controlled by restricting access to
resources and records only to authorized personnel.

Accountability for resources and records custody and use is assigned to
specific individuals.

Access restrictions and accountability assignments for custody are reviewed
and maintained on a regular periodic basis.

Periodic comparison of resources with the recorded accountability is made to
determine if the two agree, and differences are examined.

How frequently actual resources are compared to records and the degree of
access restrictions are functions of the vulnerability of the resource to
the risk of errors, fraud, waste, misuse, or unauthorized alteration.

Management considers such factors as asset value, portability, and
exchangeability when determining the appropriate degree of access
restrictions.

As a part of assigning and maintaining accountability for resources and
records, management informs and communicates those responsibilities to
specific individuals within the agency and assures that those people are
aware of their duties for appropriate custody and use of those resources.

11. Documentation – Internal Control and all transactions and other
significant events are clearly documented. Consider the following:

Written documentation exists for the agency's internal control structure and
all significant transactions and events.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 41

Common Categories of Control Activities Comments/Descriptions

The documentation is readily available for examination.

The documentation for internal control includes identification of the
agency's activity-level functions and related objectives and control
activities and appears in management directives, administrative policies,
accounting manuals, and other such manuals.

Documentation of transactions and other significant events is complete and
accurate and facilitates tracing the transaction or event and related
information from before it occurs, through its processing, to after it is
completed.

Documentation, whether in paper or electronic form, is useful to managers in
controlling their operations and to auditors and others involved in
analyzing operations.

All documentation and records are properly managed, maintained, and
periodically updated.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 42

Control Activities Specific for Information Systems – General Control

As stated in the introduction to the Control Activities Section, there are
some control activity factors specifically designed for information systems.
As discussed in the standard, there are two broad groupings of information
systems control – general control and application control. General
control includes the structure, policies, and procedures that apply to the
agency's overall computer operations. It applies to all information systems
– mainframe, minicomputer, network, and end-user environments. General
control creates the environment in which the agency's application systems
operate. General control activities are presented first followed by
application control activities.

There are six major factors or categories of control activities that need to
be considered by the user when evaluating general control: entitywide
security management program, access control, application software
development and change, system software control, segregation of duties, and
service continuity. The factors and related points and some subsidiary
points are listed below as examples of issues to be considered. They are
meant to illustrate the range and variety of general control activities that
are typically used and are not all-inclusive. Users should refer to the
listing of critical elements and control activities pertaining to general
control provided in GAO's Federal Information System Controls Audit Manual
(FISCAM) (GAO/AIMD-12.19.6, January 1999). The list provided below
summarizes the list provided in the FISCAM; however, users should refer to
the FISCAM for more detailed guidance in performing their evaluation and
analysis.

Entitywide Security Management Program Comments/Descriptions 1. The agency
periodically performs a comprehensive,

high-level assessment of risks to its information systems. Consider the
following:

Risk assessments are performed and documented on a regular basis and
whenever systems, facilities, or other conditions change.

Risk assessments consider data sensitivity and integrity.

Final risk determinations and management approvals are documented and kept
on file.

2. The agency has developed a plan that clearly describes the entitywide
security program and policies and procedures that support it.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 43

Entitywide Security Management Program Comments/Descriptions 3. Senior
management has established a structure to

implement and manage the security program throughout the agency, and
security responsibilities are clearly defined.

4. The agency has implemented effective security-related personnel policies.

5. The agency monitors the security program's effectiveness and makes
changes as needed. Consider the following:

Management periodically assesses the appropriateness of security policies
and compliance with them.

Corrective actions are promptly and effectively implemented, tested, and
monitored on a continuing basis.

Access Control Comments/Descriptions 1. The agency classifies information
resources according

to their criticality and sensitivity. Consider the following:

Resource classifications and related criteria have been established and
communicated to resource owners.

Resource owners have classified their information resources based on the
approved criteria and with regard to risk determinations and assessments and
have documented those classifications.

2. Resource owners have identified authorized users and their access to the
information has been formally authorized.

3. The agency has established physical and logical controls to prevent or
detect unauthorized access.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 44

Access Control Comments/Descriptions 4. The agency monitors information
systems access,

investigates apparent violations, and takes appropriate remedial and
disciplinary action.

Application Software Development and Change Control Comments/Descriptions

1. Information system processing features and program modifications are
properly authorized.

2. All new or revised software is thoroughly tested and approved.

3. The agency has established procedures to ensure control of its software
libraries, including labeling, access restrictions, and use of inventories
and separate libraries.

System Software Control Comments/Descriptions 1. The agency limits access to
system software based on

job responsibilities, and access authorization is documented.

2. Access to and use of system software is controlled and monitored.

3. The agency controls changes made to the system software.

Segregation of Duties Comments/Descriptions 1. Incompatible duties have been
identified and policies

implemented to segregate those duties. 2. Access controls have been
established to enforce

segregation of duties. 3. The agency exercises control over personnel
activities

through the use of formal operating procedures, supervision, and review.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 45

Service Continuity Comments/Descriptions 1. The criticality and sensitivity
of computerized

operations have been assessed and prioritized, and supporting resources have
been identified.

2. The agency has taken steps to prevent and minimize potential damage and
interruption through the use of data and program backup procedures,
environmental controls, staff training, and hardware maintenance and
management.

3. Management has developed and documented a comprehensive contingency plan.

4. The agency periodically tests the contingency plan and adjusts it as
appropriate.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 46

Control Activities Specific for Information Systems – Application
Control

Application control covers the structure, policies, and procedures designed
to help ensure completeness, accuracy, authorization, and validity of all
transactions during application processing. It includes both the routines
contained within the computer program code as well as the policies and
procedures associated with user activities, such as manual measures
performed by the user to determine that the data were processed accurately
by the computer.

There are four major factors or categories of control activities that need
to be considered by the user when evaluating application control:
authorization control, completeness control, accuracy control, and control
over integrity of processing and data files. The factors and related points
and some subsidiary points are listed below as examples of issues to be
considered. They are meant to illustrate the range and variety of
application control activities that are typically used and are not
all-inclusive. In the future, application control evaluation and testing
will be addressed in Chapter 4 of GAO's Federal Information System Controls
Audit Manual (FISCAM) (GAO/AIMD-12.19.6, January 1999). That chapter is
currently under development and is expected to be issued with the first
update of the FISCAM. However, the list of factors, points, and subsidiary
points provided below generally follows the guidance expected to be issued
in the FISCAM. Users should refer to the FISCAM Chapter 4, when issued, for
more detailed guidance in performing their evaluation and analysis.

Authorization Control Comments/Descriptions 1. Source documents are
controlled and require

authorization. Consider the following:

Access to blank source documents is restricted. Source documents are
pre-numbered sequentially. Key source documents require authorizing
signatures. For batch application systems, batch control sheets

are used providing information such as date, control number, number of
documents, and control totals for key fields.

Supervisory or independent review of data occurs before it is entered into
the application system.

2. Data entry terminals have restricted access. 3. Master files and
exception reporting are used to ensure

that all data processed are authorized.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 47

Completeness Control Comments/Descriptions 1. All authorized transactions
are entered into and

processed by the computer. 2. Reconciliations are performed to verify data

completeness. Accuracy Control Comments/Descriptions 1. The agency's data
entry design features contribute to

data accuracy. 2. Data validation and editing are performed to identify

erroneous data. 3. Erroneous data are captured, reported, investigated,

and corrected. 4. Output reports are reviewed to help maintain data

accuracy and validity. Control Over Integrity of Processing and Data Files
Comments/Descriptions

1. Procedures ensure that the current version of production programs and
data files are used during processing.

2. Programs include routines to verify that the proper version of the
computer file is used during processing.

3. Programs include routines for checking internal file header labels before
processing.

4. The application protects against concurrent file updates.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 48

Control Activities Summary Section Provide General Conclusions and Actions
Needed Here:

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 49

INFORMATION AND COMMUNICATIONS

According to the fourth internal control standard, for an agency to run and
control its operations, it must have relevant, reliable information, both
financial and nonfinancial, relating to external as well as internal events.
That information should be recorded and communicated to management and
others within the agency who need it and in a form and within a time frame
that enables them to carry out their internal control and operational
responsibilities. In addition, the agency needs to make sure that the forms
of communications are broad-based and that information technology management
assures useful, reliable, and continuous communications. Managers and
evaluators should consider the appropriateness of information and
communication systems to the entity's needs and the degree to which they
accomplish the objectives of internal control. Listed below are factors a
user might consider. The list is a beginning point. It is not all-inclusive,
nor will every item apply to every agency or activity within the agency.
Even though some of the functions and points may be subjective in nature and
require the use of judgment, they are important in collecting appropriate
data and information and in establishing and maintaining good
communications.

Information Comments/Descriptions 1. Information from internal and external
sources is

obtained and provided to management as a part of the agency's reporting on
operational performance relative to established objectives. Consider the
following:

Internally generated information critical to achieving the agency's
objectives, including information relative to critical success factors, is
identified and regularly reported to management.

The agency obtains and reports to management any relevant external
information that may affect the achievement of its missions, goals, and
objectives, particularly that related to legislative or regulatory
developments and political or economic changes.

Internal and external information needed by managers at all levels is
reported to them.

2. Pertinent information is identified, captured, and distributed to the
right people in sufficient detail, in the right form, and at the appropriate
time to enable them to carry out their duties and responsibilities
efficiently and effectively. Consider the following:

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 50

Information Comments/Descriptions

Managers receive analytical information that helps them identify specific
actions that need to be taken.

Information is provided at the right level of detail for different levels of
management.

Information is summarized and presented appropriately and provides pertinent
information while permitting a closer inspection of details as needed.

Information is available on a timely basis to allow effective monitoring of
events, activities, and transactions and allow prompt reaction.

Program managers receive both operational and financial information to help
them determine whether they are meeting the strategic and annual performance
plans and meeting the agency's goals for accountability of resources.

Operational information is provided to managers so that they may determine
whether their programs comply with applicable laws and regulations.

The appropriate financial and budgetary information is provided for both
internal and external financial reporting.

Communications Comments/Descriptions 1. Management ensures that effective
internal

communications occur. Consider the following:

Top management provides a clear message throughout the agency that internal
control responsibilities are important and must be taken seriously.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 51

Communications Comments/Descriptions

Employees' specific duties are clearly communicated to them and they
understand the relevant aspects of internal control, how their role fits
into it, and how their work relates to the work of others.

Employees are informed that when the unexpected occurs in performing their
duties, attention must be given not only to the event, but also to the
underlying cause, so that potential internal control weaknesses can be
identified and corrected before they can do further harm to the agency.

Acceptable behavior versus unacceptable behavior and the consequences of
improper conduct are clearly communicated to all employees.

Personnel have a means of communicating information upstream within the
agency through someone other than a direct supervisor, and there is a
genuine willingness to listen on the part of management.

Mechanisms exist to allow the easy flow of information down, across, and up
the organization, and easy communications exist between functional
activities such as between procurement activities and production activities.

Employees indicate that informal or separate lines of communications exist
which serve as a “fail-safe” control for normal communications
avenues.

Personnel understand that there will be no reprisals for reporting adverse
information, improper conduct, or circumvention of internal control
activities.

Mechanisms are in place for employees to recommend improvements in
operations, and management acknowledges good employee suggestions with cash
awards or other meaningful recognition.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 52

Communications Comments/Descriptions

Management communicates frequently with internal oversight groups, such as
senior management councils, and keeps them informed of performance, risks,
major initiatives, and any other significant events.

2. Management ensures that effective external communications occur with
groups that can have a serious impact on programs, projects, operations, and
other activities, including budgeting and financing. Consider the following:

Open and effective communications channels have been established with
customers, suppliers, contractors, consultants, and other groups that can
provide significant input on quality and design of agency products and
services.

All outside parties dealing with the agency are clearly informed of the
agency's ethical standards and also understand that improper actions, such
as improper billings, kickbacks, or other improper payments, will not be
tolerated.

Communications from external parties, such as other federal agencies, state
and local governments, and other related third parties, is encouraged since
it can be a source of information on how well internal control is
functioning.

Agencies communicating with external groups about controversial issues have
a way to assure compliance with the Federal Advisory Committee Act.

Complaints or other inquires, especially those concerning services, such as
shipments, receipts, and billings, are welcomed since they can serve to
point out problems with control.

Management makes certain that the advice and recommendations of Inspectors
General and other auditors and evaluators are fully considered and that
actions are implemented to correct any problems or weaknesses they identify.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 53

Communications Comments/Descriptions

Communications with the Congress, OMB, Treasury, other federal agencies,
state and local governments, the media, the public, and others provide
information relevant to the requestors' needs so that they can better
understand the agency's mission, goals, and objectives, better understand
the risks facing the agency, and thus better understand the agency.

Forms and Means of Communications Comments/Descriptions 1. The agency
employs many and various forms and

means of communicating important information with employees and others.
Consider the following:

Management uses effective communications methods, which may include policy
and procedures manuals, management directives, memoranda, bulletin board
notices, internet and intranet web pages, videotaped messages, e-mail, and
speeches.

One of the most powerful forms of communications used by management is the
positive actions it takes in dealing with personnel throughout the
organization and its demonstrated support of internal control.

2. The agency manages, develops, and revises its information systems in an
effort to continually improve the usefulness and reliability of its
communication of information. Consider the following:

Information systems management is based on a strategic plan for information
systems that is linked to the agency's overall strategic plan.

A mechanism exists for identifying emerging information needs.

As part of the agency's information management, improvements and advances in
technology are monitored, analyzed, evaluated, and introduced to help the
agency respond more rapidly and efficiently to those they serve.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 54

Forms and Means of Communications Comments/Descriptions

Management continually monitors the quality of the information captured,
maintained, and communicated as measured by such factors as appropriateness
of content, timeliness, accuracy, and accessibility.

Management's support for the development of information technology is
demonstrated by its commitment of appropriate human and financial resources
to the effort.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 55

Information and Communications Summary Section Provide General Conclusions
and Actions Needed Here:

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 56

(BLANK)

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 57

MONITORING

Monitoring is the final internal control standard. Internal control
monitoring should assess the quality of performance over time and ensure
that the findings of audits and other reviews are promptly resolved. In
considering the extent to which the continued effectiveness of internal
control is monitored, both ongoing monitoring activities and separate
evaluations of the internal control system, or portions thereof, should be
considered. Ongoing monitoring occurs during normal operations and includes
regular management and supervisory activities, comparisons, reconciliations,
etc., and other actions people take in performing their duties. Separate
evaluations are a way to take a fresh look at internal control by focusing
directly on the controls' effectiveness at a specific time. These
evaluations may take the form of self-assessments as well as review of
control design and direct testing, and may include the use of this
Management and Evaluation Tool or some similar device. In addition,
monitoring includes policies and procedures for ensuring that any audit and
review findings and recommendations are brought to the attention of
management and are resolved in a timely manner. Managers and evaluators
should consider the appropriateness of the agency's internal control
monitoring and the degree to which it helps them accomplish their
objectives. Listed below are factors a user might consider. The list is a
beginning point. It is not all-inclusive, and every item might not apply to
every agency or activity within the agency. Even though some of the
functions and points may be subjective in nature and require the use of
judgment, they are important in establishing and maintaining good internal
control monitoring policies and procedures.

Ongoing Monitoring Comments/Descriptions 1. Management has a strategy to
ensure that ongoing

monitoring is effective and will trigger separate evaluations where problems
are identified or systems are critical and testing is periodically
desirable. Consider the following:

Management's strategy provides for routine feedback and monitoring of
performance and control objectives.

The monitoring strategy includes identification of critical operational and
mission support systems that need special review and evaluation.

The strategy includes a plan for periodic evaluation of control activities
for critical operational and mission support systems.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 58

Ongoing Monitoring Comments/Descriptions 2. In the process of carrying out
their regular activities,

agency personnel obtain information about whether internal control is
functioning properly. Consider the following:

Operating reports are integrated or reconciled with financial and budgetary
reporting system data and used to manage operations on an ongoing basis, and
management is alert to inaccuracies or exceptions that could indicate
internal control problems.

Operating management compares production, sales, or other operating
information obtained in the course of their daily activities to
system-generated information and follows up on any inaccuracies or other
problems that might be found.

Operating personnel are required to “sign-off” on the accuracy
of their unit's financial statements and are held accountable if errors are
discovered.

3. Communications from external parties should corroborate internally
generated data or indicate problems with internal control. Consider the
following:

Management recognizes that customers paying for invoices help to corroborate
billing data, while customer complaints indicate that deficiencies may
exist; and these deficiencies are then investigated to determine the
underlying causes.

Communications from vendors and monthly statements of accounts payable are
used as control monitoring techniques.

Supplier complaints about any unfair practices by agency purchasing agents
are investigated.

Congress and oversight groups communicate information to the agency about
compliance or other matters that reflect on the functioning of internal
control and management follows up on any problems indicated.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 59

Ongoing Monitoring Comments/Descriptions

Control activities that should have prevented or detected any problems that
arise, but did not function properly, are reassessed.

4. Appropriate organizational structure and supervision help provide
oversight of internal control functions. Consider the following:

Automated edits and checks as well as clerical activities are used to help
control accuracy and completeness of transaction processing.

Separation of duties and responsibilities is used to help deter fraud.

The Inspector General is independent and has authority to report directly to
the agency head and does not conduct agency operations for management.

5. Data recorded by information and financial systems are periodically
compared with physical assets and discrepancies are examined. Consider the
following:

Inventory levels of materials, supplies, and other assets are checked
regularly, differences between recorded and actual amounts are corrected,
and the reasons for the discrepancies resolved.

The frequency of the comparison is a function of the vulnerability of the
asset.

Custodial accountability for assets and resources is assigned to responsible
individuals.

6. The Inspector General and other auditors and evaluators regularly provide
recommendations for improvements in internal control with management taking
appropriate follow-up action.

7. Meetings with employees are used to provide management with feedback on
whether internal control is effective. Consider the following:

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 60

Ongoing Monitoring Comments/Descriptions

Relevant issues, information, and feedback concerning internal control
raised at training seminars, planning sessions, and other meetings are
captured and used by management to address problems or strengthen the
internal control structure.

Employee suggestions on internal control are considered and acted upon as
appropriate.

8. Employees are regularly asked to state explicitly whether they comply
with the agency's code of conduct or similar agency pronouncements of
expected employee behavior. Consider the following:

Personnel periodically acknowledge compliance with the code of conduct.

Signatures are required to evidence performance of critical internal control
functions, such as reconciliations.

Separate Evaluations Comments/Descriptions 1. The scope and frequency of
separate evaluations of

internal control are appropriate for the agency. Consider the following:

Consideration is given to the risk assessment results and the effectiveness
of ongoing monitoring when determining the scope and frequency of separate
evaluations.

Separate evaluations are often prompted by events such as major changes in
management plans or strategies, major expansion or downsizing of the agency,
or significant changes in operations or processing of financial or budgetary
information.

Appropriate portions or sections of internal control are evaluated
regularly.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 61

Separate Evaluations Comments/Descriptions

Separate evaluations are conducted by personnel with the required skills
that may include the agency's Inspector General or an external auditor.

2. The methodology for evaluating the agency's internal control is logical
and appropriate. Consider the following:

The methodology used may include self-assessments using checklists,
questionnaires, or other such tools, and it may include the use of this
Management and Evaluation Tool or some similar device.

The separate evaluations may include a review of the control design and
direct testing of the internal control activities.

The evaluation team develops a plan for the evaluation process to ensure a
coordinated effort.

If the evaluation process is conducted by agency employees, it is managed by
an executive with the requisite authority, capability, and experience.

The evaluation team gains a sufficient understanding of the agency's
missions, goals, and objectives and its operations and activities.

The evaluation team gains an understanding of how the agency's internal
control is supposed to work and how it actually does work.

The evaluation team analyzes the results of the evaluation against
established criteria.

The evaluation process is properly documented.

3. If the separate evaluations are conducted by the agency's Inspector
General, that office has sufficient resources, ability, and independence.
Consider the following: 7

7 This particular point and the related subsidiary points are not expected
to be assessed by agency management or the agency Inspector General.
However, their consideration may be useful in outside reviews or peer
reviews.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 62

Separate Evaluations Comments/Descriptions

The Inspector General has sufficient levels of competent and experienced
staff.

The Inspector General is organizationally independent and reports to the
highest levels within the agency.

The responsibilities, scope of work, and audit plans of the Inspector
General are appropriate to the agency's needs.

4. Deficiencies found during separate evaluations are promptly resolved.
Consider the following:

Deficiencies are promptly communicated to the individual responsible for the
function and also to at least one level of management above that individual.

Serious deficiencies and internal control problems are promptly reported to
top management.

Audit Resolution 8 Comments/Descriptions 1. The agency has a mechanism to
ensure the prompt

resolution of findings from audits and other reviews. Consider the
following:

Managers promptly review and evaluate findings resulting from audits, FMFIA
and FFMIA assessments, and other reviews, including those showing
deficiencies and those identifying opportunities for improvements.

Management determines the proper actions to take in response to findings and
recommendations.

Corrective action is taken or improvements made within established time
frames to resolve the matters brought to management's attention.

8 Audit Resolution includes the resolution of findings and recommendations
not just from formal audits, but also resulting from informal reviews,
internal separate evaluations, management studies, and assessments made
pursuant to the requirements of the Federal Managers' Financial Integrity
Act (FMFIA) of 1982 and the Federal Financial Management Improvement Act
(FFMIA) of 1996.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 63

Audit Resolution Comments/Descriptions

In cases where there is disagreement with the findings or recommendations,
management demonstrates that those findings or recommendations are either
invalid or do not warrant action.

Management considers consultations with auditors (such as GAO, Inspector
General, and other external auditors), and reviewers when it is believed to
be helpful in the audit resolution process.

2. Agency management is responsive to the findings and recommendations of
audits and other reviews aimed at strengthening internal control. Consider
the following:

Executives with the proper authority evaluate the findings and
recommendations and decide upon the appropriate actions to take to correct
or improve control.

Desired internal control actions are followed up on to verify
implementation.

3. The agency takes appropriate follow up actions with regard to findings
and recommendations of audits and other reviews. Consider the following:

Problems with particular transactions or events are corrected promptly.

The underlying causes giving rise to the findings or recommendations are
investigated by management.

Actions are decided upon to correct the situation or take advantage of the
opportunity for improvements.

Management and auditors follow up on audit and review findings,
recommendations, and the actions decided upon to ensure that those actions
are taken.

Top management is kept informed through periodic reports on the status of
audit and review resolution so that it can ensure the quality and timeliness
of individual resolution decisions.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 64

Monitoring Summary Section Provide General Conclusions and Actions Needed
Here:

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 65

OVERALL INTERNAL CONTROL SUMMARY Control Environment Assessment/Conclusions
Management and employees have a positive and supportive attitude toward
internal control and conscientious management. Management conveys the
message that integrity and ethical values must not be compromised. The
agency demonstrates a commitment to the competence of its personnel and
employs good human capital policies and practices. Management has a
philosophy and operating style that is appropriate to the development and
maintenance of effective internal control. The agency's organizational
structure and the way in which it assigns authority and responsibility
contribute to effective internal control. The agency has a good working
relationship with the Congress and oversight groups.

Risk Assessment The agency has established clear and consistent entitywide
objectives and supporting activity-level objectives. Management has made a
thorough identification of risks, from both internal and external sources,
that may affect the ability of the agency to meet those objectives. An
analysis of those risks has been performed, and the agency has developed an
appropriate approach for risk management. In addition, mechanisms are in
place to identify changes that may affect the agency's ability to achieve
its missions, goals, and objectives.

Control Activities Appropriate policies, procedures, techniques, and control
mechanisms have been developed and are in place to ensure adherence to
established directives. Proper control activities have been developed for
each of the agency's activities. The control activities identified as
necessary are actually being applied properly.

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 66

Information and Communications Assessment/Conclusions Information systems
are in place to identify and record pertinent operational and financial
information relating to internal and external events. That information is
communicated to management and others within the agency who need it and in a
form that enables them to carry out their duties and responsibilities
efficiently and effectively. Management ensures that effective internal
communications take place. It also ensures that effective external
communications occur with groups that can affect the achievement of the
agency's missions, goals, and objectives. The agency employs various forms
of communications appropriate to its needs and manages, develops, and
revises its information systems in a continual effort to improve
communications.

Monitoring Agency internal control monitoring assesses the quality of
performance over time. It does this by putting procedures in place to
monitor internal control on an ongoing basis as a part of the process of
carrying out its regular activities. In addition, separate evaluations of
internal control are periodically performed and deficiencies found are
investigated. Procedures are in place to ensure that the findings of all
audits and other reviews are promptly evaluated, decisions are made about
the appropriate response, and actions are taken to correct or otherwise
resolve the issues promptly.

(922290)

GAO- 01- 131G – Internal Control Management and Evaluation Tool ED (2/
01) Page 67

RELATED PRODUCTS

These related products address three main categories; internal control,
financial management systems, and financial reporting (accounting
standards). We have developed these guidelines and tools to assist agencies
in improving or maintaining effective operations and financial management.

Internal Control

Standards for Internal Control Streamlining the Payment Process in the
Federal Government, While Maintaining Effective Internal GAO/ AIMD- 00- 21.
3.1, November 1999. Control, GAO/ AIMD- 00- 21.3.2, May 2000. Determining
Performance and Accountability Challenges and High Risks, GAO- 01- 159SP,
November 2000.

Financial Management Systems

Framework for Federal Financial Inventory System Checklist, Management
System Checklist, GAO/ AIMD- 98- 21. 2.4, May 1998. GAO/ AIMD- 98- 21. 2.1,
May 1998. System Requirements for Managerial Core Financial System
Requirements Cost Accounting Checklist, Checklist, GAO/ AIMD- 00- 21.2.2,
GAO/ AIMD- 99- 21. 2.9, January 1999. February 2000. Human Resources and
Payroll Direct Loan System Requirements Systems Requirements Checklist
Checklist, GAO/ AIMD- 00- 21.2.6, GAO/ AIMD- 00- 21. 2.3, March 2000. April
2000. Travel System Requirements Seized Property and Forfeited Assets
Checklist, GAO/ AIMD- 00- 21.2.8, Requirements Checklist, May 2000. GAO- 01-
99G, October 2000.

Financial Reporting (Accounting Standards)

FASAB Volume 1 Original Statements, GAO/ AIMD- 97- 21. 1.1, March 1997.

These documents are available on the Internet on GAO's Home Page (www. gao.
gov) under

“Other Publications.” They can also be obtained from GAO, 700 4
th Street NW, Room 1100, Washington DC 20548, or by calling (202) 512- 6000
or TDD (202) 512- 2537.

United States General Accounting Office Washington, D. C. 20548- 0001

Official Business Penalty for Private Use $300

Address Correction Requested Bulk Rate

Postage & Fees Paid GAO Permit No. GI00
*** End of document. ***