How is a green book powerful? If you stick around you’ll see how the ‘Green Book’ can be a powerful tool for any local government and its implementation could save you thousands of dollars over many years. Yes, chances are thousands of dollars will be saved! The ‘Green Book’ is actually what the GAO named the standards of internal controls for federal entities. If you’re not a federal entity, no worries. The ‘Green Book’ can also be adopted by a state, local, quasi-governmental, or not-for-profits. The basis of the ‘Green Book’ is COSO’s internal controls. What are internal controls? The Green Book defines it as a process used by management to help an entity achieve its objectives. How does it achieve its objectives? Good question! The point of an internal control system is to run operations efficiently and effectively, report liable information about its operations, and comply with applicable laws and regulations.
As a bonus, a strong internal control system fights against fraud, waste, and abuse. Fraud is defined as any illegal activity where the perpetrator intended to perform the activity. Waste is defined as the act of using or expending resources carelessly, extravagantly, or to no purpose. Abuse is defined as involves behavior deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary operational practice given the facts and circumstances. Would it be awesome to tell the public not only is your local government running at top efficiency but also deterring, preventing, and detecting fraud, waste, and abuse? I think so.
The internal control system consists of 5 components, 17 principles. We’ll introduce the five components and provide a general overview of how a local government can implement an internal control system. After reading this report, you would like to learn more, visit the GAO’s website to read the ‘Green Book’.
CONTROL ENVIRONMENT
The five components are the following:
- Control Environment
- Risk Assessment
- Control Activities
- Information & Communication
- Monitoring
Instead of showing each and every principle, we’ll show you how to implement the internal control system per the Federal Government Standards. Let’s review the first principle.
Control Environment
The control environment provides the framework of the entire system. The control environment should demonstrate a commitment to integrity and ethical values. Those charged with governance should oversee the entity’s internal control system. Management should have a practice in place to recruit, develop, and retain competent individuals. Generally speaking, the control environment is the tone at the top. How upper management and the board work and interact and the entire staff depicts how the rest of the entity will operate. If upper management and the Board lead by example and adhere to integrity and ethical values, much of the rest of the entity will follow integrity and ethical behavior. As the saying goes, if they don’t lead by example, any new system of processes and procedures will “fall on deaf ears”.
Upper management and the Board need to realize they affect many of the stakeholders and working with integrity and ethically will influence the entire system for good. The control environment is where management needs to create standards of conduct and an oversight structure. The oversight structure provides another layer of review by those which are deemed ‘Independent’. For smaller entities, this oversight board would likely be the Board members. There should be at least one person with knowledge of finance and accounting to understand the financial reporting and compliance objectives. This oversight board should provide input on the design of the entire internal control system.
Furthermore, management is to hold the staff and key stakeholders accountable. Generally speaking, the control environment is to establish ethics and integrity within the organization, establish an oversight board, develop expectations of staff, and maintain accountability throughout the whole entity.
If principle #1 is not adhered or followed, the entity’s internal control system will be deficient and susceptible to error, waste, abuse, or fraud.
RISK ASSESSMENT
Management needs to assess what is the likelihood or risk that processes and procedures will not work as intended. They need to analyze the current internal control system and assess the risk of circumvention of each and every process/procedure of the entity. How can Management approach such a project? First, define the goals or objectives of the entity and assess the risk that the goals or objectives won’t be attained. Second, Management needs to understand and know their risk tolerance. Third, respond to the risks. Either you will accept the risk (don’t do anything), avoid the risk, reduce the risk, or share the risk. In addition, consider performing a cost-benefit analysis as the more risk you averse normally equates to a higher cost to the entity. There should be a happy medium, especially in smaller governments.
Always consider fraud when identifying the risks. The three types of fraud are Financial reporting, misappropriation of assets, and corruption. As the environment changes, risks will change. Also, don’t forget to account for the change and re-assess periodically.
CONTROL ACTIVITIES
Control activities are the policies and procedures created by management to achieve entity goals. In other words, how does management want the staff to perform on a day to day basis? There should be documentation to show the staff how the day to day tasks should be performed. The documentation should be written and align with the control environment and risk assessment. Procedures should be written to mitigate the risk assessed in the previous step. Management needs to design the appropriate types of control activities:
Reviews of actual performance
- Reviews of management at the functional or activity level
- Physical controls over vulnerable assets
- Segregation of duties
- Proper execution of transactions
- Accurate and timely recording of transactions
Management needs to establish policies and procedures to ensure the day to day tasks of the staff are performed at the highest possible efficiency. In addition, remember to incorporate the risk of fraud when creating these policies/procedures. A system is inefficient if a staff member is using the entity for his/her personal gain.
Some examples of procedures to prevent or detect fraud are:
- Random periodic physical inventory of equipment and other valuable assets including ‘inventory’
- Payment spending limits of staff members
- Anti-fraud training of staff and employee assistance programs
- Review of third-party vendors (Ensure there are no ghost vendors)
- Management and Board need to be aware of business relationships and cost (ie watch out for vendor kick-backs or third-party transactions)
- Segregate duties of a process (ie Input of transaction, custody of assets, and reconciliation should be performed by separate personnel)
Make sure you document each and every policies/procedure and change them periodically as the environment changes.
INFORMATION AND COMMUNICATION
Quality information is key to a strong internal control system. Information needs to be relevant and reliable, and an avenue to which the entity communicates is equally important to internal and external stakeholders.
First, identify your information requirements. What needs to be communication and what is important and vital? Make sure the communication is free of bias. Second, consider who is the audience. Depending on the audience should guide you in the means of communication and the type of information to communicate. Lastly, consider where the communication will take place. Each government has different strategy, management style, etc thus the communication will differ by entity.
Ask yourself, what is best for the entity? Should it be written on a hard copy, electronic copy like PDF, face to face?
This is an important step as incorrect information or an incorrect means of communication can contribute to a decrease in stakeholders’ confidence in the entity.
MONITORING
Finally, since the internal control system is dynamic and changes over time an efficient and effective monitoring system is necessary.
First, management needs to establish a baseline or a way to compare future results. One way to create a baseline is to analyze the current state of the internal control system and use as the baseline. Secondly, management should establish a periodic monitoring activity of the system. The reason for this is as audit findings are communicated or fraud or abuse is identified, the internal control system needs to have a systematic way to change. Management should have a ‘blueprint’ so to speak already in place for when these things happen. At a high level make sure there is a way to report the issue, evaluate the issue, and provide relevant corrective actions.
FINAL THOUGHTS
As you can see a strong internal control system is vital to the operations of any government. The standards provide us with a format to follow. This format includes five components: Control environment, risk assessment, control activities, information and communication, and monitoring. Each of these components need to be aligned and complement each other. If each component is not aligned, then there is a deficiency in the system. You can use the Green Book as a standard to create your own internal control system and if done correctly, the entity should run efficiently and effectively and fight against any fraud, waste, or abuse.
If you would like to speak with me, I am available. Please email me at david@dfarnsworthcpa.com or call me at (408) 780-2236. Have a great day!
David Farnsworth, CPA
P.S. We are on a mission to help local governments with fraud prevention and governmental finance. We exist to help eliminate abuse, wasteful spending and fraud. Our goal is to help you run a transparent financially responsible District or Agency. When you’re ready, here are a few ways we can help right away:
- Sign-up to our monthly newsletter here. We cover topics ranging from fraud prevention, financial reporting, government budgeting, etc.
- Take our fraud risk assessment (link to assessment here) We’ll give you specific recommendations on how to improve your situation right away.
- Receive our free fraud prevention package (click this link to schedule a meeting)
- Jump on a video conference call to get specific fraud prevention recommendations (click this link to schedule a meeting).
- Request a proposal to perform the financial audit. request for proposal.