Importance of Internal Controls for Auditors

How internal control frameworks guide federal auditors in assessing stewardship, performance, and compliance

Internal controls form the foundation of effective governance, and auditors play a critical role in evaluating whether these controls are properly designed, implemented, and functioning. Understanding internal control requirements is essential for conducting high-quality federal audits.

This lesson is a preview from Graduate School USA's Assessing Controls in Performance Audits Course.

Management’s Responsibility for Controls

Public managers are responsible and accountable for both stewardship and performance.

  • Stewardship focuses on how resources have been used and for what purpose.
  • Performance focuses on what has been accomplished with those resources.

To meet their responsibilities for stewardship and performance, managers must, among other things:

  • Establish appropriate processes and controls, and
  • Periodically assess:
    • The adequacy of those processes and controls, and
    • The adequacy of performance.

In the federal government:

  • Establishment and assessment of internal controls is required by the Federal Managers’ Financial Integrity Act (FMFIA).
  • Measurement and assessment of performance is required by the Government Performance and Results Act (GPRA).

GAO’s Standards for Internal Control in the Federal Government (Sept. 2014 Update, Effective FY2025)

The Integrity Act requires the Comptroller General to issue Standards for Internal Control in the Federal Government. These standards, commonly known as the Green Book, provide the overall framework for establishing and maintaining an effective internal control system.

Definition of Internal Control

Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of the entity will be achieved. These objectives fall into three broad categories:

  • Operations: Effectiveness and efficiency of operations
  • Reporting: Reliability of reporting for internal and external use
  • Compliance: Compliance with applicable laws and regulations

Internal control comprises the plans, methods, policies, and procedures used to fulfill the mission, strategic plan, goals, and objectives of the entity. Internal control also serves as the first line of defense in safeguarding assets. In short, internal control helps managers achieve desired results through effective stewardship of public resources.

Management is responsible for an effective internal control system. As part of this responsibility, management sets the entity’s objectives, implements controls, and evaluates the internal control system. However, personnel at all levels play important roles in implementing and operating the internal control system.

An effective internal control system increases the likelihood that an entity will achieve its objectives. However, no matter how well designed, implemented, or operated, internal control cannot provide absolute assurance that all objectives will be met.

The Internal Control Cube

The Green Book depicts the multifaceted aspects of internal control in the form of a cube. The three primary control objectives are displayed along the top; the five components of internal control form the rows on the side; and the application of these controls to all organizational levels is represented in the third dimension.

GAO’s Internal Control Standards: Components and Principles

While there are different ways to achieve internal control within an organization, the Green Book presents internal control through a hierarchical structure consisting of five components and 17 principles. These components and principles must be effectively designed, implemented, and operating together to establish an effective internal control system. Attributes further clarify each principle.

Control Environment

The control environment is the foundation for an internal control system. It provides the discipline and structure needed to help an entity achieve its objectives.

  1. The oversight body and management should demonstrate a commitment to integrity and ethical values.
  2. The oversight body should oversee the entity’s internal control system.
  3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives.
  4. Management should demonstrate a commitment to recruit, develop, and retain competent individuals.
  5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities.

Risk Assessment

Risk assessment involves identifying and analyzing the risks an entity faces as it works to achieve its objectives. This assessment provides the basis for developing appropriate risk responses.

  1. Management should define objectives clearly to enable the identification of risks and establish risk tolerances.
  2. Management should identify, analyze, and respond to risks related to achieving the defined objectives.
  3. Management should consider the potential for fraud when identifying, analyzing, and responding to risks.
  4. Management should identify, analyze, and respond to significant changes that could impact the internal control system.

Control Activities

Control activities are the actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, including controls within the entity’s information system.

  1. Management should design control activities to achieve objectives and respond to risks.
  2. Management should design the entity’s information system and related control activities to achieve objectives and respond to risks.
  3. Management should implement control activities through policies.

Information and Communication

Information and communication relate to the quality information that management and personnel generate, share, and use to support the internal control system.

  1. Management should use quality information to achieve the entity’s objectives.
  2. Management should internally communicate the necessary quality information to achieve the entity’s objectives.
  3. Management should externally communicate the necessary quality information to achieve the entity’s objectives.

Monitoring

Monitoring consists of activities established and operated by management to assess the quality of performance over time and to promptly resolve the findings of audits and other reviews.

  1. Management should establish and operate monitoring activities to assess the internal control system and evaluate the results.
  2. Management should remediate identified internal control deficiencies on a timely basis.

Kim Peppers

Kimberly Peppers spent 37 years as a federal employee culminating in leadership roles as regional inspector general and audit director in multiple federal agencies; building a career in federal audit, budget and program analysts’ positions. She has subsequently worked in the federal consulting environment. Kim considers among her notable achievements obtaining her doctorate, in business administration while concurrently working in audit and investigations stationed in the middle east.

More articles by Kim Peppers

How to Learn Auditing

Build practical, career-focused federal auditing skills through hands-on training designed for beginners and professionals alike. Learn fundamental tools and workflows that prepare you for real-world projects or industry certification.