Understanding Internal Control Standards in Federal Government

Review the GAO Green Book to understand internal control systems and apply them to achieve an entity's objectives.

The U.S. Government Accountability Office (GAO) issued the Standards for Internal Control in the Federal Government, also known as the Green Book, to provide a comprehensive framework for establishing and maintaining effective internal control systems. These standards aim to ensure that federal entities achieve their objectives related to operations, reporting, and compliance through a structured hierarchy of components and principles.

Key Insights

  • The Green Book outlines three broad objectives for internal control systems: operational efficiency, reliable reporting, and compliance with laws and regulations.
  • The framework consists of five essential components, each encompassing several principles to guide internal control.
  • Although internal controls provide reasonable assurance for achieving an entity's objectives, they cannot guarantee absolute assurance due to inherent limitations in any control system.

This lesson is a preview from our Government Auditor Level I Certificate Program. Enroll in a course for detailed lessons, live instructor support, and project-based training.

The GAO issued Standards for Internal Control in the Federal Government in September 2014. The Integrity Act requires the Comptroller General to issue these standards. Commonly known as the Green Book, they provide an overall framework for establishing and maintaining an effective internal control system.

Your participant guide includes a link to the Green Book.

Definition of Internal Control

Internal control is a process affected by an entity's oversight body, management, and other personnel that provides reasonable assurance that the entity will achieve its objectives.

These objectives fall into three broad categories:

  • Operations: effectiveness and efficiency of operations
  • Reporting: reliability of internal and external reporting
  • Compliance: compliance with applicable laws and regulations

Internal control includes the plans, methods, policies, and procedures used to fulfill an entity's mission, strategic plan, goals, and objectives. It serves as a first line of defense for safeguarding assets and supporting effective stewardship of public resources.

Responsibilities and Reasonable Assurance

Management is responsible for an effective internal control system. As part of this responsibility, management sets objectives, implements controls, and evaluates the internal control system.

Personnel throughout the entity also play an important role in implementing and operating internal control. An effective internal control system increases the likelihood that an entity will achieve its objectives. However, even a well-designed and well-operated system cannot provide absolute assurance that all objectives will be met. Internal control provides reasonable assurance, not absolute assurance.

The Internal Control Cube

The Green Book depicts the multifaceted nature of internal control as a cube. The three primary control objectives appear across the top: operations, reporting, and compliance.

The five components of internal control appear along the side:

  • Control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring

The cube also shows that controls apply across organizational levels, including the function, operating unit, division, and entity.

Components and Principles

The Green Book approaches internal control through a hierarchical structure of five components and 17 principles. To establish an effective internal control system, the components and principles must be effectively designed, implemented, and operating together. Attributes provide additional clarification for each principle.

Control Environment

The control environment is the foundation for an internal control system. It provides the discipline and structure needed to help an entity achieve its objectives.

  • Principle 1: The oversight body and management should demonstrate a commitment to integrity and ethical values.
  • Principle 2: The oversight body should oversee the entity's internal control system.
  • Principle 3: Management should establish an organizational structure, assign responsibilities, and delegate authority to achieve objectives.
  • Principle 4: Management should demonstrate a commitment to recruit, develop, and retain competent individuals.
  • Principle 5: Management should evaluate performance and hold individuals accountable for their internal control responsibilities.

Risk Assessment

Risk assessment evaluates the risks an entity faces as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses.

  • Principle 6: Management should define objectives clearly to enable the identification of risks and define risk tolerances.
  • Principle 7: Management should identify, analyze, and respond to risks related to achieving defined objectives.
  • Principle 8: Management should consider the potential for fraud when identifying, analyzing, and responding to risks.
  • Principle 9: Management should identify, analyze, and respond to significant changes that could impact the internal control system.

Control Activities

Control activities are actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, including actions related to the entity's information system.

  • Principle 10: Management should design control activities to achieve objectives and respond to risks.
  • Principle 11: Management should design the entity's information system and related control activities to achieve objectives and respond to risks.
  • Principle 12: Management should implement control activities through policies.

Information and Communication

Information and communication focus on the quality information that management and personnel use and share to support the internal control system.

  • Principle 13: Management should use quality information to achieve the entity's objectives.
  • Principle 14: Management should internally communicate the necessary quality information to achieve the entity's objectives.
  • Principle 15: Management should externally communicate the necessary quality information to achieve the entity's objectives.

Monitoring

Monitoring includes activities that assess internal control performance over time and support timely resolution of findings from audits and other reviews.

  • Principle 16: Management should establish and operate monitoring activities to monitor the internal control system and evaluate results.
  • Principle 17: Management should remediate identified internal control deficiencies on a timely basis.

Discussion Prompt

In performance auditing, the term internal controls is frequently used, but it is not defined in either GAGAS or the Green Book. What terminology in the Green Book best embodies this term? What specific activities, events, or actions would you expect to encounter in practice? Take time to develop responses to these questions.

photo of Penny Popps

Penny Popps

Penny N. Popps recently joined the Graduate School USA instructor team in early 2025, teaching in the area of Audit. She is an exceptional leader with over 20 years of private and public sector experience in accounting, audit, compliance, risk management, fraud, and internal controls. A recipient of numerous public service, recognition, and performance awards, she is committed to developing the next generation of financial management and audit professionals.

During her nearly 15 years as a Federal Government Public Servant, Penny held several pivotal transformational leadership roles, including serving as the first Fraud Risk Manager at the U.S. Small Business Administration (SBA), where she successfully helped mature its Fraud Risk Management Program.

She holds a B.B.A. in Accounting from the University of Texas at Arlington, an MBA from Texas Woman’s University, an Advanced Technical Certificate in Professional Accountancy from Dallas College, and multiple professional credentials, including Certified Fraud Examiner (CFE), Certified Internal Controls Auditor (CICA), Department of Defense Financial Management Certification, and an ICF Associate Certified Coach (ACC) Certification.

Prior to her tenure at SBA, Penny spent more than six years at the Department of Housing and Urban Development (HUD), managing projects that advanced the delivery of affordable, safe, and decent housing while safeguarding HUD programs from fraud, waste, and abuse. She led multiple audit teams in conducting complex quality control reviews of independent public accounting firms, CIGIE reviews, financial assessments, staffing studies, and annual OMB A-123 risk assessment reviews for the Accountability, Integrity, & Risk (AIR) Program.

During her federal career, Penny also served as the Branch Chief of Financial Reporting at the DHS ICE OCFO, Office of FM–Financial Service Center. She oversaw the operations of the Payroll and Fund Balance with Treasury Units for all DHS ICE components, which processed approximately $5.2 billion in payroll transactions and reconciled $10.1 billion in cash transactions, significantly improving financial management operations.

She also led and supervised audit teams at the Defense Contract Audit Agency (DCAA), recovering millions in questioned costs from contractors. In state government, she recovered millions in sales and use tax dollars owed to the Texas State Comptroller of Public Accounts, ensuring taxpayer funds were used responsibly and efficiently.

Penny’s private-sector experience includes helping build successful internal audit divisions at major corporations such as Essilor Group and Fossil Group. Throughout her career, she has continued to expand her expertise while paying it forward by mentoring, coaching, and training professionals entering the accounting, audit, compliance, risk management, fraud, and internal controls fields.

Deeply committed to service, Penny is passionate about her philanthropic and volunteer work, especially with Alpha Kappa Alpha Sorority, Inc. and the Junior League of Washington. Her mission is to provide service to all mankind throughout her career, retirement, and life. She currently resides in Alexandria, VA, and enjoys spending her leisure time reading.

More articles by Penny Popps

How to Learn Auditing

Build practical, career-focused federal auditing skills through hands-on training designed for beginners and professionals alike. Learn fundamental tools and workflows that prepare you for real-world projects or industry certification.