Legislation, Standards, and Guidance for Auditors

Key federal laws, GAO standards, and audit requirements shaping internal control assessment.

Internal control requirements for federal agencies are rooted in decades of legislation and strengthened through GAO and OMB guidance. Auditors must understand these frameworks to evaluate risk, assess control effectiveness, and ensure accountability across government programs.

This lesson is a preview from Graduate School USA's Manager’s and Auditor’s Roles in Assessing Internal Control Course.

Congress has long recognized the importance of internal control, beginning with the passage of the Budget and Accounting Procedures Act of 1950. The 1950 act required agency heads to establish and maintain systems of accounting and internal control to provide:

  • Adequate financial information for the agency’s management purposes.
  • Effective control over and accountability for the agency’s funds, property, and other assets.

In 1982, following a series of highly publicized internal control breakdowns, Congress passed the Integrity Act with the goal of strengthening internal control and accounting systems. The act defined internal control broadly to include program, operational, and administrative controls.

Accountability and Internal Control Laws

Following the 1982 Integrity Act, several additional legislative initiatives were enacted to improve government effectiveness and accountability, including:

  • The Chief Financial Officers Act of 1990 provided for a major transformation of federal financial management and required financial management systems to comply with GAO’s internal control standards.
  • The Government Performance and Results Act (GPRA) of 1993 Required agencies to clarify missions, set strategic and annual performance goals, and measure progress toward those goals. Internal control plays a significant role in helping managers achieve these goals.
  • The Government Management Reform Act of 1994 expanded the CFO Act by establishing requirements for preparing and auditing agency-wide financial statements and consolidated financial statements for the federal government as a whole.
  • The Federal Financial Management Improvement Act of 1996 identified internal control as an integral part of improving financial management systems.
  • The GPRA Modernization Act of 2010 established new responsibilities for managing agency performance, including a requirement for agencies to publish their performance plans and accountability reports on the Internet, a vital component of accountability and internal control.

For additional information on relevant federal legislation, see Appendix A.

As Congress strengthened internal control requirements in the federal government, publicly held private companies were also being held to higher expectations. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) updated its internal control guidance in 2013 with the issuance of the revised Internal Control—Integrated Framework, introducing 17 principles linked to the five components of internal control.

The GAO Green Book adapts these principles for government use in the Standards for Internal Control in the Federal Government (GAO-25-107721, issued in 2025).

Additionally, in 2002, Congress enacted the Sarbanes–Oxley Act to protect shareholders and the public from accounting errors and fraudulent reporting. The act required, among other things, stronger internal controls. In response, OMB issued new requirements in 2004 addressing internal control over financial reporting in Appendix A of OMB Circular A-123. OMB updated Appendix A in 2018; it is now called Management of Reporting and Data Integrity Risk.

A Closer Look at the Integrity Act

Congress included only a few basic—but far-reaching—requirements in the two-page Integrity Act of 1982. These requirements form the foundation of the current federal accountability model and continue to drive efforts across the federal government to maintain and continuously improve internal control.

The terms in bold above have particular significance to the statutory responsibilities of GAO, OMB, and federal agencies. They are prominent in today’s internal control standards and guidance. For example, evaluation refers to the basis for annual assurance statements required of federal agencies, and material weakness refers to an internal control condition that must be reported—along with a corrective action plan and schedule—to the President and Congress. See Appendix B for a complete version of the Integrity Act.

While the above requirements remain intact today, implementation has evolved over the years as additional laws were enacted and as new control issues emerged. These developments have prompted GAO and OMB to update the standards and guidelines several times since 1982.

GAO updated its Standards for Internal Control in the Federal Government (Green Book) in 2025. OMB retitled, revised, and expanded its guidelines as OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control in July 2016. OMB reissued Appendix A to Circular A-123, now titled Management of Reporting and Data Integrity Risk, on June 6, 2018, which included Memorandum M-18-16.

The following content provides an overview of GAO standards and OMB guidelines, the fundamental concepts of internal control outlined in those documents, and a brief summary of current federal requirements for establishing and maintaining effective internal control. Subsequent modules will discuss agency responsibilities for evaluating internal control, identifying and correcting deficiencies, and reporting on internal control effectiveness.

GAO Internal Control Standards

GAO’s Green Book sets the standards for an effective internal control system for federal agencies. It provides the overall framework for designing, implementing, and operating an effective internal control system. Agencies are to use the Green Book to help achieve their objectives related to operations, reporting, and compliance.

The current version of the Green Book is effective beginning with FY 2026. You have been provided the latest edition. Go to the first page of the standards to review important facts and concepts on internal control. In addition, review pages 3–4 describing how to use the Green Book.

We will cover details of the five components and 17 principles of an effective internal control system in subsequent modules. As a starting point, it is important to understand key definitions and fundamental concepts that support those components.

Definition of Internal Control

In Exercise 1.1, you provided your own definition of internal control. Although many definitions exist, GAO defines internal control as follows:

“Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved.”

As stated in the GAO standards, internal control comprises the plans, methods, policies, and procedures used to fulfill an agency’s mission, strategic plan, goals, and objectives. Internal control serves as the first line of defense in safeguarding assets. In short, internal control helps managers achieve desired results through effective stewardship of public resources.

Internal Control System

GAO also defines an internal control system as follows:

“An internal control system consists of integrated and continuous processes, effected by people, that are collectively designed to provide reasonable assurance, not absolute assurance, that an entity’s objectives will be achieved.”

Generally Accepted Government Auditing Standards: The Yellow Book

The Generally Accepted Government Auditing Standards (GAGAS), commonly referred to as the Yellow Book, provides a framework for conducting high-quality audits of government entities, entities that receive government awards, and audit organizations performing GAGAS audits. GAGAS includes standards related to ethics, independence, professional judgment, competence, quality control, performance of the audit, and reporting.

The term auditors refers to anyone, regardless of job title, conducting financial audits, attestation engagements, or performance audits/evaluation work in accordance with GAGAS.

The requirements for assessing and reporting on the quality or deficiencies of internal controls appear throughout Chapters 1 through 9 of the standards. Below are several citations and excerpts demonstrating the importance of internal control assessment during the planning, fieldwork, and reporting stages of financial, attestation, and performance audits.

Financial Audits

1.17 Financial audits provide independent assessments of whether entities’ reported financial information (e.g., financial condition, results, and use of resources) is presented fairly, in all material respects, in accordance with recognized criteria. Financial audits conducted in accordance with GAGAS include financial statement audits and other related financial audits.

a. Financial Statement Audits

The primary purpose of a financial statement audit is to provide financial statement users with an auditor’s opinion on whether an entity’s financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework.

Reporting on financial statement audits conducted in accordance with GAGAS also includes:

  • Reports on internal control over financial reporting, and
  • Reports on compliance with provisions of laws, regulations, contracts, and grant agreements that have a material effect on the financial statements.
b. Other Types of Financial Audits

Other types of financial audits conducted in accordance with GAGAS may include various scopes of work, such as:

  1. Obtaining sufficient, appropriate evidence to form an opinion on a single financial statement or specified elements, accounts, or line items of a financial statement.
  2. Issuing letters (commonly referred to as comfort letters) for underwriters and other requesting parties.
  3. Auditing applicable compliance and internal control requirements related to one or more government programs.
  4. Conducting an audit of internal control over financial reporting that is integrated with an audit of financial statements (integrated audit).

Kim Peppers

Kimberly Peppers spent 37 years as a federal employee culminating in leadership roles as regional inspector general and audit director in multiple federal agencies; building a career in federal audit, budget and program analysts’ positions. She has subsequently worked in the federal consulting environment. Kim considers among her notable achievements obtaining her doctorate, in business administration while concurrently working in audit and investigations stationed in the middle east.

More articles by Kim Peppers

How to Learn Auditing

Build practical, career-focused federal auditing skills through hands-on training designed for beginners and professionals alike. Learn fundamental tools and workflows that prepare you for real-world projects or industry certification.