GAO Green Book Glossary of Term Used

The following terms are provided to assist in clarifying the Standards for Internal Control in the Federal Government. The most relevant paragraph numbers are provided for reference.

Application controls - Controls that are incorporated directly into computer applications for the purposes of validity, completeness, accuracy, and confidentiality of transactions and data during application processing; application controls include controls over input, processing, output, master file, interface, and data management system controls (paragraph 11.08)

Attributes - Additional information that provides further explanation of the principles and documentation requirements for effective internal control (paragraph OV2.07)

Baseline - The difference between the criteria of the design of the internal control system and condition of the internal control system at a specific point in time (paragraph 16.02)

Competence - The qualification to carry out assigned responsibilities (paragraph 4.02)

Complementary user entity controls - Controls that management of the service organization assumes, in the design of its service, will be implemented by user entities, and if necessary to achieve the control objectives stated in management’s description of the service organization’s system, are identified as such in that description (paragraph OV4.02)

Component - One of the five required elements of internal control. The internal control components are Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring (paragraph OV2.04)

Contingency plans - The processes defined to address an entity’s need to respond to sudden personnel changes that could compromise the internal control system (paragraph 4.06) Control activities - The policies, procedures, techniques, and mechanisms that enforce management’s directives to achieve the entity’s objectives and address related risks (paragraph 10.02)

Control objective - The aim or purpose of specified controls; control objectives address the risks related to achieving an entity’s objectives (paragraph OV3.05)

Deficiency - When the design, implementation, or operation of a control does not allow management or personnel, in the normal course of performing their assigned functions, to achieve control objectives and address related risks (paragraph OV3.07)

Detective control - An activity that is designed to discover when an entity is not achieving an objective or addressing a risk before the entity’s operation has concluded and corrects the actions so that the entity achieves the objective or addresses the risk (paragraph 10.04)

Entity-level control - Controls that have a pervasive effect on an entity’s internal control system; entity-level controls may include controls related to the entity’s risk assessment process, control environment, service organizations, management override, and monitoring (paragraph 10.09)

Fraud - Involves obtaining something of value through willful misrepresentation (paragraph 8.02)

General controls - The policies and procedures that apply to all or a large segment of an entity’s information systems; general controls include security management, logical and physical access, configuration management, segregation of duties, and contingency planning (paragraph 11.07)

Green Book - The commonly used name for Standards for Internal Control in the Federal Government (Overview: Foreword)

Information system - The people, processes, data, and technology management organizes to obtain, communicate, or dispose of information (paragraph 11.03)

Information technology - Technology-enabled information processes (paragraph 11.03)

Inherent risk - The risk to an entity prior to considering management’s response to the risk (paragraph 7.03)

Internal control - A process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved (paragraph OV1.01)

Internal control system - A continuous built-in component of operations, effected by people, that provides reasonable assurance—not absolute assurance—that an entity’s objectives will be achieved (paragraph OV1.04)

Key role - A position in an organizational structure that is assigned an overall responsibility of an entity (paragraph 3.06)

Likelihood of occurrence - The level of possibility that a risk will occur (paragraph 7.06)

Magnitude of impact - Severity of deficiency that could result from a risk and is affected by factors such as the size, pace, and duration of the risk’s impact (paragraph 7.06)

Management - Personnel who are directly responsible for all activities of an entity, including the design, implementation, and operating effectiveness of an entity’s internal control system (paragraph OV2.14)

Must - Denotes a requirement that management must comply with in all cases; these requirements are the components of internal control (paragraph OV2.04)

Organizational structure - The operating units, operational processes, and other structures management uses to achieve objectives (paragraph OV2.10)

Oversight body - Those responsible for overseeing management’s design, implementation, and operation of an internal control system (paragraph OV2.14)

Performance measure - A means of evaluating the entity’s performance in achieving objectives (paragraph 6.07)

Policies - Statements of responsibility for an operational process’s objectives and related risks, and control activity design, implementation, and operating effectiveness (paragraph 12.03)

Preventive control - An activity that is designed to prevent an entity from failing to achieve an objective or addressing a risk (paragraph 10.04)

Principle - Fundamental concept that is integral to the design, implementation, and operating effectiveness of the associated component (paragraph OV2.05)

Qualitative objectives - Objectives where management may need to design performance measures that indicate a level or degree of performance, such as milestones (paragraph 6.07)

Quality information - Information from relevant and reliable data that is appropriate, current, complete, accurate, accessible, and provided on a timely basis, and meets identified information requirements (paragraph 13.05)

Quantitative objectives - Objectives where performance measures may be a targeted percentage or numerical value (paragraph 6.07)

Reasonable assurance - A high degree of confidence, but not absolute confidence (paragraph OV1.04)

Reporting lines - Communication lines, both internal and external, at all levels of the organization that provide methods of communication that can flow down, across, up, and around the organizational structure (paragraph 3.04)

Residual risk - The risk that remains after management’s response to inherent risk (paragraph 7.03)

Risk - The possibility that an event will occur and adversely affect the achievement of objectives (paragraph 7.02)

Risk tolerance - The acceptable level of variation in performance relative to the achievement of objectives (paragraph 6.08)

Security management - The information processes and control activities related to access rights in an entity’s information technology (paragraph 11.12)

Segregation of duties - The separation of the authority, custody, and accounting of an operation (paragraph 10.13)

Service organization - An external party that performs operational process(es) for an entity (paragraph OV4.01)

Should - Denotes a principle requirement management must comply with except in rare circumstances where the requirement is not relevant for the entity (paragraph OV2.09)

Succession plans - The processes that address an entity’s need to replace competent personnel over the long term (paragraph 4.06)

Transaction - An event that may occur in operational, compliance, or financial processes (paragraph 10.10)

Transaction control activities - Actions built directly into operational processes to support the entity in achieving its objectives and addressing related risks (paragraph 10.10)


  1. COSO Framework
  2. Green Book PDF
  3. GAO Green Book Site