Appendix XII: The Cost Estimating Process and Internal Control

Internal Control Systems

An internal control system is a continuous built-in component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an entity’s objectives will be achieved. An effective internal control system helps an entity adapt to shifting environments, evolving demands, changing risks, and new priorities. As programs change and entities strive to improve operational processes and implement new technology, management continually evaluates its internal control system so that it is effective and updated when necessary.

A key factor in improving accountability in achieving an entity’s mission is to implement an effective internal control system. As defined in Government Auditing Standards, internal control includes the plans, methods, policies, and procedures used to fulfill the mission, strategic plan, goals, and objectives of the entity.77

GAO’s Standards for Internal Control in the Federal Government (known as the Green Book), provides the overall framework for establishing and maintaining an effective internal control system.78 The Green Book provides managers criteria for designing, implementing, and operating an effective internal control system. It defines the standards through components and principles and explains why they are integral to an entity’s internal control system. The Green Book also clarifies what processes management considers part of internal control. In a mature and highly effective internal control system, internal control may be indistinguishable from day-to-day activities personnel perform.

Standards in the Green Book are organized into five components of internal control. As shown in figure 41, the components apply to staff at all levels of the organization and to all categories of objectives.

Figure 41: Internal Control Cube
Tip: Click the figure to view a larger version in a new browser tab.

Each of the five components of internal control contains several principles. Principles are the requirements of each component (figure 42).

Figure 42: Principles of Internal Control
Tip: Click the figure to view a larger version in a new browser tab.

The five components of internal control and their associated principles are as follows:

  • Control environment - The foundation for an internal control system. It provides the discipline and structure to help an entity achieve its objectives.
    • Principle 1: The oversight body and management should demonstrate a commitment to integrity and ethical values.
    • Principle 2: The oversight body should oversee the entity’s internal control system.
    • Principle 3: Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives.
    • Principle 4: Management should demonstrate a commitment to recruit, develop, and retain competent individuals.
    • Principle 5: Management should evaluate performance and hold individuals accountable for their internal control responsibilities.
  • Risk assessment - Assesses the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses.
    • Principle 6: Management should define objectives clearly to enable the identification of risks and define risk tolerances.
    • Principle 7: Management should identify, analyze, and respond to risks related to achieving the defined objectives.
    • Principle 8: Management should consider the potential for fraud when identifying, analyzing, and responding to risks.
    • Principle 9: Management should identify, analyze, and respond to significant changes that could impact the internal control system.
  • Control activities - The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the entity’s information system.
    • Principle 10: Management should design control activities to achieve objectives and respond to risks.
    • Principle 11: Management should design the entity’s information system and related control activities to achieve objectives and respond to risks.
    • Principle 12: Management should implement control activities through policies.
  • Information and communication - The quality information management and personnel communicate and use to support the internal control system.
    • Principle 13: Management should use quality information to achieve the entity’s objectives.
    • Principle 14: Management should internally communicate the necessary quality information to achieve the entity’s objectives.
    • Principle 15: Management should externally communicate the necessary quality information to achieve the entity’s objectives.
  • Monitoring - Activities management establishes and operates to assess the quality of performance over time and promptly resolve the findings of audits and other reviews.
    • Principle 16: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results.
    • Principle 17: Management should remediate identified internal control deficiencies on a timely basis.

Each principle has important characteristics, called attributes, which explain principles in greater detail and contribute to their design, implementation, and operating effectiveness.

  1. GAO, Government Auditing Standards, GAO-18-568G (Washington, D.C.: July 2018).↩︎

  2. GAO, Standards for Internal Control in the Federal Government, GAO-14-704G (Washington, D.C.: September 2014).↩︎