The GAO Green Book and OMB Circular A-123 form the foundation of internal control standards in the federal space, offering a structured approach to managing risk, accountability, and fraud prevention. While A-123 applies directly to federal agencies, its principles align with 2 CFR 200 requirements, shaping expectations for all entities managing federal funds.
Key Insights
- The GAO Green Book outlines five internal control components—control environment, risk assessment, control activities, information and communication, and monitoring—all essential for preventing and detecting fraud.
- OMB Circular A-123 mandates federal agencies to assess internal controls annually, emphasizing responsibilities such as risk evaluation, control testing, and reporting material weaknesses.
- Although A-123 does not apply directly to non-federal entities, aligning internal controls with its principles helps meet 2 CFR 200 standards and prepares organizations for federal oversight.
This lesson is a preview from our Grants Management Certificate Course Online. Enroll in a course for detailed lessons, live instructor support, and project-based training.
Let's talk about the Green Book and the internal control components. The GAO Green Book is the gold standard for internal controls in the federal space. The Green Book organizes internal control into five components.
First one, control of environment. This is the tone at the top. If leadership tolerates shortcuts, ignores policies, or fails to enforce rules, fraud risk skyrockets.
The control environment includes ethics, oversight, policies, clarification of responsibilities, expectations for competence, and accountability structures. The second component is risk assessment. Organizations must identify, analyze, and respond to fraud risk.
This includes conducting periodic assessments, which align with Section 303, Subpart C. Risk assessment isn't a document; it is a process. The third component is control of activities. These are actual tools that prevent or detect fraud, approvals or reviews, verification, segregation of duties, procurement controls, and effective sub-recipient monitoring.
Everything we do in grants management touches this component. Component four, information and communication. Information must flow up, down, horizontally as well, across the organization.
Fraud often thrives when communication breaks down. And the monitoring of activities. Monitoring ensures controls work over time.
This includes desk reviews, site visits, single audit result tracking, and corrective action planning and follow-up. The Green Book works hand-in-hand with COSO. If COSO is the global standard, then the Green Book is the federal translation of it.
Together they form the strongest shield against fraud. Let's continue exploring the regulatory ecosystem that governs fraud prevention. And in particular, we introduce OMB Circular A-123, which is one of the most influential documents in the federal internal control environment.
Let me explain why A-123 matters to you, even if you're a pastoral entity, a sub-recipient, or a non-profit managing federal assistance. A-123 establishes management's responsibility for internal controls within federal agencies. Now, recipients of federal funds aren't federal agencies, so technically A-123 doesn't apply directly to you.
But here's the key point. Federal agencies must follow A-123. Recipients must follow 2 CFR 200, subsection 303, when it comes to internal controls.
And subsection 303 requires internal controls consistent with the GAO Green Book, the same framework on which A-123 is built. Meaning, A-123 is the blueprint for the federal mindset about internal controls. Understanding it helps you understand what federal reviewers, auditors, and monitors expect from you.
A-123 requires agencies to conduct annual internal control assessments, evaluate entity-level and program-level risk, ensure segregation of duties, document internal control activities, test controls for effectiveness, respond to identified deficiencies, and report material weaknesses to OMB. Sounds familiar? It mirrors sections 303, 330, and 331, and sections 338 and 339 of 2 CFR 200. One of the most powerful phrases in A-123 is the obligation to ensure prevention and detection of fraud, waste, and abuse.
This same phrase shows up repeatedly in federal grants regulations, single audit guidance, and OIG publications. Let me share with you a quick field story. I once supported a county government organization, a health agency, through a major internal control redesign.
Their finance office was technically compliant with section 2 CFR 200. They have written procedures, approvals, and documentation. But not one person has ever heard of A-123, the circular.
When we aligned their internal control system to A-123 principles, risk assessment, control testing, and tone at the top, guess what happened? They uncovered three separate weaknesses that had gone unnoticed for years. A manager approving contracts for vendors she previously worked for, a mismatch between payroll records and time and effort certifications, and a subrecipient drawing down cash far in excess of actual expenses. The agency wasn't doing anything wrong on purpose, but without a clear understanding and alignment with the philosophy behind Circular A-123, their controls lacked depth.
So, was this a reminder? Regulation tells you what to do. A-123 in the Green Book explains how and why. Together, they create a control environment designed not just for compliance, but for integrity.