Establishing and Operating an Effective Internal Control System for Auditors

How GAO’s Green Book components, principles, and objectives guide internal control design.

The GAO Green Book provides the structured framework federal agencies must use to establish effective internal control systems. These systems help managers design controls, define objectives, assess risks, and operate programs with greater efficiency, integrity, and accountability.

This lesson is a preview from Graduate School USA's Manager’s and Auditor’s Roles in Assessing Internal Control Course.

Framework for Building and Operating an Internal Control System

The GAO Green Book describes the framework that federal agencies must use for designing, implementing, and operating an effective system of internal control. “An effective internal control system increases the likelihood that an entity will achieve its objectives.”

To implement this framework, agencies must design policies and procedures that fit their specific circumstances and integrate them into daily operations. This requires agencies to understand their mission, develop a strategic plan, establish objectives, and formulate plans to achieve those objectives. These objectives may relate to the agency as a whole or to specific functions and activities.

Internal control is an integral part of the entire cycle of strategic planning, goal and objective setting, budgeting, program management, accounting, and auditing. The system of internal control must support the effectiveness and integrity of every step in the process and provide continual feedback to management.

Components, Principles, and Attributes

In the 2025 update of the Green Book, GAO significantly expanded the standards, guidance, and requirements for internal control. In addition to the five components presented in Module 2, the updated standards now include seventeen principles and enhanced documentation requirements.

The five components represent the highest level of the hierarchy of internal control standards in the federal government. The principles support the effective design, implementation, and operation of their associated components.

The components and principles together represent the requirements necessary to establish an effective internal control system. They must be effectively designed, implemented, and operating—and must function together in an integrated manner—for the internal control system to be considered effective.

The five components and related principles apply to staff at all organizational levels and to all categories of objectives. Each principle includes “attributes” that clarify what the requirement is intended to cover and provide examples of internal control procedures.

However, the Green Book does not prescribe in detail how agencies must design, implement, or operate an internal control system. Management must use judgment in selecting and applying the attributes as they work to meet the requirements of the standards and principles.

Agency Structure and Objectives

A direct relationship exists among an agency’s objectives, the five components of internal control, and the organizational structure:

  • Objectives are what an agency wants to achieve.
  • The five components and seventeen principles of internal control are required to achieve those objectives.
  • Organizational structure encompasses the operating units, processes, and other structures management uses to achieve the objectives.

Management sets objectives to support the agency’s mission, strategic plan, and goals and to comply with applicable laws and regulations. Objectives must be established before an internal control system can be designed. Management may set these objectives as part of the strategic planning process required by OMB Circular A-11, Part 6.

As part of designing an internal control system, management defines objectives in specific, measurable terms so the agency can identify, analyze, and respond to risks affecting their achievement. Sub-objectives may also be established for individual units within the agency.

Management and employees should understand the objectives, sub-objectives, and defined performance levels applicable to their programs and activities, as this shared understanding is essential for accountability in an internal control system.

Categories of Objectives

Management groups objectives into one or more of the three categories described in Module 2. These are discussed further below.

Operations Objectives

Operations objectives relate to program operations that support the agency’s mission. An agency’s mission is typically defined in its strategic plan, which sets goals and objectives along with the operational performance required to achieve them.

Effective operations produce the intended results, while efficient operations do so with minimal waste of resources. Together, these concepts support the effective and efficient achievement of an agency’s mission.

Reporting Objectives

Reporting objectives relate to preparing reports for use by the agency, its stakeholders, or other external parties. Reporting objectives may be further grouped into the following subcategories:

  • External financial reporting objectives: Objectives related to releasing the agency’s financial performance in accordance with professional standards, applicable laws and regulations, and stakeholder expectations.
  • External nonfinancial reporting objectives: Objectives related to releasing nonfinancial information in accordance with appropriate standards, applicable laws and regulations, and stakeholder expectations.
  • Internal financial and nonfinancial reporting objectives: Objectives related to gathering and communicating information needed by management to support decision-making and evaluate agency performance.

Compliance Objectives

Compliance objectives relate to adhering to applicable laws and regulations. These objectives are significant because laws and regulations often prescribe a government agency’s mission, structure, methods for achieving objectives, and reporting requirements.

When specifying compliance objectives, management determines which laws and regulations apply to the agency and sets objectives that incorporate these requirements. Management then determines the controls needed to design, implement, and operate in order to fully achieve those objectives.

Safeguarding of Assets

A subset of the three categories of objectives is the safeguarding of assets. Management designs an internal control system to provide reasonable assurance regarding the prevention or prompt detection and correction of unauthorized acquisition, use, or disposition of an agency’s assets.

Kim Peppers

Kimberly Peppers spent 37 years as a federal employee culminating in leadership roles as regional inspector general and audit director in multiple federal agencies; building a career in federal audit, budget and program analysts’ positions. She has subsequently worked in the federal consulting environment. Kim considers among her notable achievements obtaining her doctorate, in business administration while concurrently working in audit and investigations stationed in the middle east.

More articles by Kim Peppers

How to Learn Auditing

Build practical, career-focused federal auditing skills through hands-on training designed for beginners and professionals alike. Learn fundamental tools and workflows that prepare you for real-world projects or industry certification.