Presentation of Standards
OV2.01 The Green Book defines the standards for internal control in the federal government. FMFIA requires federal executive branch entities to establish internal control in accordance with these standards. The standards provide criteria for assessing the design, implementation, and operating effectiveness of internal control in federal government entities to determine if an internal control system is effective. Nonfederal entities may use the Green Book as a framework to design, implement, and operate an internal control system.
OV2.02 The Green Book applies to all of an entity’s objectives: operations, reporting, and compliance. However, these standards are not intended to limit or interfere with duly granted authority related to legislation, rulemaking, or other discretionary policy making in an organization. In implementing the Green Book, management is responsible for designing the policies and procedures to fit an entity’s circumstances and building them in as an integral part of the entity’s operations.
Components, Principles and Attributes
OV2.03 An entity determines its mission, sets a strategic plan, establishes entity objectives, and formulates plans to achieve its objectives. Management, with oversight from the entity’s oversight body, may set objectives for an entity as a whole or target activities within the entity. Management uses internal control to help the organization achieve these objectives. While there are different ways to present internal control, the Green Book approaches internal control through a hierarchical structure of five components and 17 principles. The hierarchy includes requirements for establishing an effective internal control system, including specific documentation requirements.
OV2.04 The five components represent the highest level of the hierarchy of standards for internal control in the federal government. The five components of internal control must be effectively designed, implemented, and operating, and operating together in an integrated manner, for an internal control system to be effective. The five components of internal control are as follows:
OV2.05 The 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system.
OV2.06 In general, all components and principles are relevant for establishing an effective internal control system. In rare circumstances, there may be an operating or regulatory situation in which management has determined that a principle is not relevant for the entity to achieve its objectives and address related risks. If management determines that a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively. In addition to principle requirements, the Green Book contains documentation requirements.
OV2.07 The Green Book contains additional information in the form of attributes. These attributes are intended to help organize the application material management may consider when designing, implementing, and operating the associated principles. Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover, or include examples of procedures that may be appropriate for an entity. Attributes may also provide background information on matters addressed in the Green Book.
OV2.08 Attributes are relevant to the proper implementation of the Green Book. Management has a responsibility to understand the attributes and exercise judgment in fulfilling the requirements of the standards. The Green Book, however, does not prescribe how management designs, implements, and operates an internal control system.
OV2.09 The fiigure below lists the five components of internal control and 17 related principles.
Internal Control and the Entity
OV2.10 A direct relationship exists among an entity’s objectives, the five components of internal control, and the organizational structure of an entity. Objectives are what an entity wants to achieve. The five components of internal control are what are required of the entity to achieve the objectives. Organizational structure encompasses the operating units, operational processes, and other structures management uses to achieve the objectives. This relationship is depicted in the form of a cube developed by COSO.
OV2.11 The three categories into which an entity’s objectives can be classified are represented by the columns labeled on top of the cube. The five components of internal control are represented by the rows. The organizational structure is represented by the third dimension of the cube.
OV2.12 Each component of internal control applies to all three categories of objectives and the organizational structure. The principles support the components of internal control (see figure below).
OV2.13 Internal control is a dynamic, iterative, and integrated process in which components impact the design, implementation, and operating effectiveness of each other. No two entities will have an identical internal control system because of differences in factors such as mission, regulatory environment, strategic plan, entity size, risk tolerance, and information technology, and the judgment needed in responding to these differing factors.
OV2.14 Because internal control is a part of management’s overall responsibility, the five components are discussed in the context of the management of the entity. However, everyone in the entity has a responsibility for internal control. In general, roles in an entity’s internal control system can be categorized as follows:
OV2.15 External auditors and the office of the inspector general (OIG), if applicable, are not considered a part of an entity’s internal control system. While management may evaluate and incorporate recommendations by external auditors and the OIG, responsibility for an entity’s internal control system resides with management.
OV2.16 Management, with oversight by an oversight body, sets objectives to meet the entity’s mission, strategic plan, and goals and requirements of applicable laws and regulations. Management sets objectives before designing an entity’s internal control system.
Management may include setting objectives as part of the strategic planning process.
OV2.17 Management, as part of designing an internal control system, defines the objectives in specific and measurable terms to enable management to identify, analyze, and respond to risks related to achieving those objectives.
Categories of Objectives
OV2.18 Management groups objectives into one or more of the three categories of objectives:
OV2.19 Operations objectives relate to program operations that achieve an entity’s mission. An entity’s mission may be defined in a strategic plan. Such plans set the goals and objectives for an entity along with the effective and efficient operations necessary to fulfill those objectives.
Effective operations produce the intended results from operational processes, while efficient operations do so in a manner that minimizes the waste of resources.
OV2.20 Management can set, from the objectives, related subobjectives for units within the organizational structure. By linking objectives throughout the entity to the mission, management improves the effectiveness and efficiency of program operations in achieving the mission.
OV2.21 Reporting objectives relate to the preparation of reports for use by the entity, its stakeholders, or other external parties. Reporting objectives may be grouped further into the following subcategories:
OV2.22 In the government sector, objectives related to compliance with applicable laws and regulations are very significant. Laws and regulations often prescribe a government entity’s objectives, structure, methods to achieve objectives, and reporting of performance relative to achieving objectives. Management considers objectives in the category of compliance comprehensively for the entity and determines what controls are necessary to design, implement, and operate for the entity to achieve these objectives effectively.
OV2.23 Management conducts activities in accordance with applicable laws and regulations. As part of specifying compliance objectives, the entity determines which laws and regulations apply to the entity.
Management is expected to set objectives that incorporate these requirements. Some entities may set objectives to a higher level of performance than established by laws and regulations. In setting those objectives, management is able to exercise discretion relative to the performance of the entity.
Safeguarding of Assets
OV2.24 A subset of the three categories of objectives is the safeguarding of assets. Management designs an internal control system to provide reasonable assurance regarding prevention or prompt detection and correction of unauthorized acquisition, use, or disposition of an entity’s assets.
OV2.25 Management can develop from objectives more specific subobjectives throughout the organizational structure. Management defines subobjectives in specific and measurable terms that can be communicated to the personnel who are assigned responsibility to achieve these subobjectives. Both management and personnel require an understanding of an objective, its subobjectives, and defined levels of performance for accountability in an internal control system.