posted February 1, 2017

Using the “Green Book” to Set a System of Internal Controls

by Melanie Askew, CPA, Senior Associate

The Standards for Internal Control in the Federal Government, also known as the “Green Book,” sets the standards for an effective internal control system for federal agencies. These control standards are widely adopted by state and local agencies as part of an organizational process to aid in working more efficiently and effectively, increasing accuracy in reporting, and ensuring compliance with laws and regulations. These ideas can also be used to strengthen an existing internal control system or create a new system if needed.


These controls are set up with five major components, composed of 17 detailed principles which form the basis for development of internal controls. The major components are: 1) Control Environment, 2) Risk Assessment, 3) Control Activities, 4) Information and Communication, and 5) Monitoring.

This article utilizes an example of a smaller non-profit organization providing services to homeless military veterans to demonstrate how these ideas can be applied. However these ideas can work with any type of entity including larger school districts or municipalities.

Before setting up internal controls, you should begin with defining the organization. This includes the identification of a mission, strategic plan, objectives, and plans to reach those objectives. For our example non-profit, the objective could be to reduce homelessness in veterans by renovating vacant homes. This sets the initial guide for the use of resources, as well as identifying the general purpose of the entity and providing focus. The implementation of controls must consider how to ensure resources are not diverted into something that doesn’t contribute to the objective. The controls will assist in reaching the objectives set for the organization.

Once the organization has been defined, then the five major components can be used to develop the internal controls. The five components need to be fully integrated to create an effective internal control system.


Control Environment

The control environment is the foundation or basic controls over the resources and objectives. There are five principles under this area. The oversight body and management should:

  1. Demonstrate a commitment to integrity and ethical values,
  2. Oversee the entity’s internal control system,
  3. Establish an organization structure,
  4. Demonstrate a commitment to recruit, develop and retain competent individuals, and
  5. Evaluate performance and hold individuals accountable.

For our example, the non-profit would establish clear standards of conduct outlining expectations of employees and how they will be evaluated and potentially disciplined if this standard of conduct is not met. In this area, they would also set up the organization structure, lines of authority and responsibility, and hiring policies, as well as document the internal control system.

Risk Assessment

Once this basic framework is developed, the next step is the Risk Assessment. There are four basic principles for risk assessment:

  1. Clearly define objectives to identify risks,
  2. Define risk tolerances and identify, analyze, and respond to risks,
  3. Consider the potential for fraud when identifying, analyzing and responding to risks, and
  4. Identify, analyze, and respond to significant changes that could impact the internal control system.

For our example, the organization would include very specific and clear language about the objectives. Instead of stating “help homeless veterans,” the organization identifies a particular goal, such as “purchasing vacant and abandoned properties with the intent to renovate or rebuild these to create home living environments for the placement of US military veterans and their families at a reduced or free rent causing a reduction of 10% in homelessness.“ This kind of statement clearly outlines what the goal is to ensure all significant potential risks can be more easily identified.

The entity would then determine what risks might occur and what level of risk would be acceptable, including potential fraud risks. Examples could include an employee awarding the construction contracts to their brother or best friend, builders using too many nails in a door jam, or people posing as veterans to obtain free housing. The entity could determine that the risk of too many nails in one door is acceptable and might not try to develop controls in this area but focus resources on other controls. Cost of implementing controls can and should be considered when determining what level of risk is acceptable. It wouldn’t help achieve the organization’s mission to spend $100,000 on a control to count how many nails are used in each door when the cost of the extra nails is only $100 per year. In addition, the entity would also need to consider any legal or granting agency requirements and the risks of noncompliance over those items.

Once the risks have been identified, a process or set of processes can be developed to address the relevant risks. Examples would be procurement processes and eligibility processes. Most granting agencies already provide information on controls to put in place to meet their compliance guidelines. These can be used to help strengthen and/or build responses to risks.

Finally the organization needs to be aware of potential change and develop strategies to respond to change. This could include technological change, economic change, or shifts in the political environment. There should be established processes to monitor changes in the operating environment and how to respond to those changes.

Control Activities

Once the risks are defined and the basic process are determined, the entity would need to develop the control activities. There are three principles for this area:

  1. Design control activities to achieve objectives and respond to risks,
  2. Design the entity’s information system and control activities, and
  3. Implement them through policies.


These are the detailed processes and procedures put in place to respond to the risks noted as well as to ensure objectives are being met.Some examples include:

  • Conduct top-level reviews of actual performance
  • Implement controls over information processing
  • Establish physical control over vulnerable assets
  • Restrict access to resources and records and establishing accountability
  • Require appropriate documentation of transactions and internal control
  • Develop and utilize a chart of accounts
  • Limit access using locks on gates
  • Require computer passwords to be a certain length

In our example, some specific items related to the identified risks would include requiring three quotes or written bids, requiring statements from employees over potential conflicts of interest, and performing checks to ensure potential clients are honorably discharged from the military.

Information and Communication

This component includes three principles to guide management:

  1. Use quality information to achieve the organization’s objectives,
  2. Communicate necessary information internally, and
  3. Communicate necessary information externally.

Information used both inside and outside the organization should be as accurate and relevant as possible. First the entity must determine what information is required, identify where the data can be obtained and how reliable that data is, and then process it into quality information. For our example non-profit, relevant data may include how many homes were purchased, rebuilt, and subsequently provided to the clients. Another example could be identifying the amount of Federal grant money used to provide direct services versus the amount spent of general operation of the non-profit.

This information should be provided from the project and accounting records. If the only data source is scraps of paper and Post-it notes, that’s not likely to be very reliable information. More reliable sources may be accounting software, vendor invoices, and receipts.

Controls over this area also need to include what information is acceptable to provide to either internal or external sources. For example, social security numbers or other personal information should not be shared with just anyone but on a need-to-know basis.Additionally, processes should be put in place to ensure reports to external parties are completed timely and only include information required to be disseminated.


Finally, the entity should ensure monitoring of all of these items. The two principles for this area are that management should:

  1. Establish and operate monitoring activities to monitor the internal control system and evaluate the results and
  2. Remediate identified internal control deficiencies in a timely manner.

On a continual and regular basis, the organization should be reviewing its internal controls to ensure they are operating properly. This should be documented and include evaluations of individual processes as well as ensuring their functionality as an integrated system. This could include small internal audits of various procedures and processes to be sure they are running the way they were planned or designed. It could also include reviews by external auditors. Additionally the entity could set up an autonomous process that continually checks certain processes for errors. Following the reviews, any noted deficiencies should be evaluated and the organization should determine if changes to the processes are necessary. In addition, further staff training could be provided if it appears that the control is designed properly but personnel are not properly implementing it.

While the implementation or improvement of an internal control system many seem like a daunting task, the use of an established set of guidelines such as those provided in the Green Book can help any organization complete this important process. The complete Green Book is available at

The content of these pages is for general information purposes only and does not constitute advice. Heinfeld, Meech & Co., P.C. tries to provide content that is true and accurate as of the date of writing; however, we give no assurance or warranty regarding the accuracy, timeliness, or applicability of any of the contents.