For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.

CPE for Government Auditors

163 Times!

The 2018 version of the Yellow Book mentions audit objectives 163 times in one chapter; Chapter 8 the Performance Audit Fieldwork chapter. That tells me that objectives run the show!

A few years ago, I created a white paper on objectives.  The concepts covered in the white paper are even more important today.  Please find a copy of it here.

And if you want to experience creating and refining objectives along with me, please join me in Austin on September 6 &7.

Audit on!


What is an auditor?

Please enjoy this first chapter of self-study book Essential Skills for Government Auditor  available on

So here you are, an auditor. No other job title is more likely to be a conversation stopper at a dinner party.  No one likes to be audited.

But auditors do have an important role to play because, unfortunately, government leaders can’t trust program managers when they say, “Everything here is fine.  Don’t worry about us!” Government leaders and citizens do worry and want assurance from someone they can trust that everything is going well.  The auditor is that professional whom the leaders and the citizens can trust.

One definition of auditor is:  An independent professional who evaluates a subject matter against agreed-upon criteria.

This definition has several important components: independence, subject matter, and criteria.  Let’s look at each of those components in turn.


Auditors must be independent of their clients and the subject matter they are auditing.  But who are these clients?

The Government Accountability Office (GAO), the federal audit organization that writes the governmental auditing standards (a.k.a. the Yellow Book) has a very broad definition of client.  The GAO says, “A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest.” And they define public interest as “the collective well-being of the community and entities the auditors serve.”  Did you know you had such a noble job?

CPAs are held to the same standard. They are certified “public” accountants after all. They have a primary responsibility to the public and a secondary responsibility to their audit client.

Clients in the government realm include management of the auditee, governing bodies, oversight bodies, special interest groups, other citizens, and the people who actually benefit from the government’s services.

If you think about it, auditors are often the only professionals involved in an organization or in a program who can comfortably speak the truth because they are, hopefully, shielded from backlash because they are independent.

GAGAS (Yellow Book) 20113.04     Auditors and audit organizations maintain independenceso that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by reasonable and informed third parties. Auditors should avoid situations that could lead reasonable and informed third parties to conclude that the auditors are not independent and thus are not capable of exercising objectiveand impartial judgment on all issues associated with conducting the audit and reporting on the work.

The recipients of governmental funds aren’t likely to uncover their own risks or highlight their own weaknesses because they could lose their funding. And the oversight bodies might be so far removed from the program that they don’t have a sense of what is really happening.

You can make quite a difference in an organization. The GAO’s Yellow Book says that you are “essential to the nation’s governing process!” Wow, that is quite a responsibility!

Consulting vs. Auditing

Some professionals who call themselves auditors are actually consultants. They help the client implement systems or spend months working to help the client with a technical issue. Consultants are allowed to get involved in the day-to-day operations of a department.

The Institute of Internal Auditors (one of the standard setting bodies that I will explain further in the next chapter) encourages consulting and has created consulting standards for their members.

The Government Accountability Office (GAO) calls consulting by another name, “non-audit services,” and puts up numerous barriers to prevent auditors from also serving as consultants. The GAO believes that you cannot both consult regarding an audit subject matter and later serve as objective, independent evaluator of the same subject matter.

In this text, our focus will be on auditing and auditing standards.

Subject matter and criteria

Auditors opine or conclude on whether a subject matter meets a certain criteria.

All auditors struggle to keep their audits limited in size and scope. It is extremely easy to create monstrous projects that are hard to reign in and report on.

In response to this struggle, most audit standards require that you develop a finite objective and scope for each engagement.   Imbedded in the audit objective are the audit subject and the criteria the auditor will use to evaluate the audit subject.

The GAO has this to say about the audit objective and scope in the Yellow Book:

GAGAS6.08The objectives are what the audit is intended to accomplish. They identify the audit subject matter and performance aspects to be included, and may also include the potential findings and reporting elements that the auditors expect to develop. Audit objectives can be thought of as questions about the program that the auditors seek to answer based on evidence obtained and assessed against criteria. The term “program” is used in GAGAS to include government entities, organizations, programs, activities, and functions.GAGAS 6.09

Scope is the boundary of the audit and is directly tied to the audit objectives. The scope defines the subject matter that the auditors will assess and report on, such as a particular program or aspect of a program, the necessary documents or records, the period of time reviewed, and the locations that will be included.

The objective and scope define what the project is, as well as what it is not. Objectives are assessed against agreed upon criteria, which are benchmarks established by law, governing organizations, or company policies and procedures. (For more on criteria, read Chapter 6.)

To satisfy the audit objective, you will gather and document audit evidence.  The techniques that you use to gather evidence are called audit methodologies.

6.10     The methodology describes the nature and extent of audit procedures for gathering and analyzing evidence to address the audit objectives. Audit procedures are the specific steps and tests auditors perform to address the audit objectives. Auditors should design the methodology to obtain reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions in relation to the audit objectives and to reduce audit risk to an acceptable level.

All three of these elements – the objective, scope, and methodology – are essential to describe what you seek to accomplish on the audit. (For more on methodology, see Chapter 15.)   The GAO requires that auditors both document these three defining elements in the working papers and disclose them in the audit report.

Audit deliverables

As Stephen Covey says, you should begin with the end in mind.  So before we dig in to the steps of conducting an audit, let’s look at what you will have when you are all done.  Auditors create three deliverables from an audit project:

  • The answer to the audit objective – called either an audit conclusion or an audit opinion
  • Findings – issues that the auditor would like to see addressed or corrected by the client
  • Working papers –documentation of the evidence the auditor gathered to support the conclusions and the findings.

If you are following GAO’s audit standards (The Yellow Book) for performance audits, you must put this promise – word for word – in your audit report:

7.30     We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

As you seek to satisfy your audit objectives, you will gather evidence using audit methodologies.  Some auditors call audit methodologies audit tests or audit program steps.  The results of applying these methodologies must be documented.

6.79     Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed, the audit evidence obtained and its source and the conclusions reached, including evidence that supports the auditors’ significant judgments and conclusions. An experienced auditor means an individual (whether internal or external to the audit organization) who possesses the competencies and skills that would have enabled him or her to conduct the performance audit. These competencies and skills include an understanding of (1) the performance audit processes, (2) GAGAS and applicable legal and regulatory requirements, (3) the subject matter associated with achieving the audit objectives, and (4) issues related to the audited entity’s environment.6.80     Auditors should prepare audit documentation that contains evidence that supports the findings, conclusions, and recommendations before they issue their report.

Questions auditors answer

In order to give the client assurance regarding an audit subject, you must answer questions that naturally arise as you seek the answer to your audit objective.

Notice that these questions assume that something is wrong.  Auditors tend to think that way!  Because of time constraints, auditors focus on risks, negative events, and the issues that need fixing instead of proving the good that occurs in an organization.  In that way, auditors are like journalists.

  1. What is the current state of affairs? (condition)
  2. What should be the current state of affairs? (criteria)
  3. What has caused the current state of affairs? (cause)
  4. Why is the current state of affairs undesirable? (effect)
  5. What should be done to correct the current state of affairs? (recommendation)

You will see these questions used in later chapters and referred to as the “elements of a finding.” Auditors following IIA & GAO standards use them to write audit findings when they find something that needs to be corrected, such as an internal control weakness, non-compliance, fraud, and/or abuse.

What I hope to do in this text is show you the steps auditors follow to create their three main deliverables (the conclusion/opinion, the findings, and the audit documentation) as well as give you the tools to answer these questions for your clients.

Let’s tweak that definition of an auditor

Now that we have discussed independence, audit subject matter, audit criteria, and audit deliverables, we should tweak our definition of an auditor. We began the chapter with this definition: An independent professional who evaluates a subject matter against agreed-upon criteria.

Please allow me to enhance it a bit based on what we just read: An auditor is an independent professional who concludes whether a subject matter meets an agreed upon criteria by gathering evidence through performing custom-designed audit methodologies.  Aren’t you glad I didn’t start with that?

Yellow Book Ethics

Enjoy this excerpt from the self-study text: The Yellow Book Interpreted which qualifies for 15 hours of CPE.


The GAO has a few things to say about a government auditor’s ethical responsibilities and, thus, added a large section on ethics to the 2007 revision of the Yellow Book.  The same ethical principles appear in the 2017 exposure draft.

Themes of GAGAS
GAGAS is a very high-minded document.  And, in order to understand the GAO’s perspective on ethics, we need to talk about three themes of the Yellow Book that kick off the first chapter of the standards.

These three themes — accountability, transparency, and service -­- put us in the right frame of mind when auditing in the government environment.

What is accountability? I had heard the term tossed around the government so frequently that I never even thought about its meaning.  Now I know that accountability does not mean that you got it right. It just means that you take ownership of it.

I met a cowboy auditor in West Texas who said, “You might be right or you might be wrong, but you’d better the hell document it.”  That sums up accountability quite nicely.  When things go bad, you are there to say, “Yes, that was me.  I’m sorry.”  When things go well, you can keep your job.

Recently on CNN, I saw a high school coach who was responsible for the death of one of his teenage football players.  And instead of being contrite, he said something like, “Everyone is forgetting that I suffered a loss, too, and that I will hold on to this for the rest of my life.”  That is not exactly what the parents of that boy wanted to hear. He deflected accountability and tried to engender empathy for himself.  I doubt that will serve him well in his community.

The GAO repeatedly reminds us that we are accountable to the taxpaying public for our actions and that we, as auditors, have a role in holding government leaders accountable.

1.01      The concept of accountability for use of public resources and government authority is key to our nation’s governing processes.

1.03     Government auditing is essential in providing accountability to legislators, oversight bodies, those charged with governance, and the public. Audits provide an independent, objective, nonpartisan assessment of the stewardship, performance, or cost of government policies, programs, or operations, depending upon the type and scope of the audit.

One of the tough things about the GAO standards is they are not written for government officials (although government officials are mentioned a few times); they are written as standards for auditors.  So, while we hold public officials and employees accountable for their actions, we are accountable for our actions, too.

Actions and information that is transparent is open for everyone’s inspection and review.

1.05     Audits performed in accordance with GAGAS provide information used for oversight, accountability, transparency, and improvements of government programs and operations. GAGAS contains requirements and guidance to assist auditors in objectively acquiring and evaluating sufficient, appropriate evidence and reporting the results. When auditors perform their work in this manner and comply with GAGAS in reporting the results, their work can lead to improved government management, better decision making and oversight, effective and efficient operations, and accountability and transparency for resources and results.

The state of Texas has put every single transaction online – LIVE— and rates the transparency of local government as well.  I can, with a few clicks of the mouse, see that the Texas Department of Transportation bought a van, how much the van was, who they bought it from, why they need it, and what color of funds (general revenue, special revenue, enterprise revenues) paid for it.

Why?  Because citizens own the government, and we have a right to know.  Google “windows on Texas state government” to start your own exploration.

If you audit Hurst Construction, your ultimate audience for the audit report is Mr. Hurst, his board of directors, and the bank.  But, if you audit a public housing project, your ultimate clients are not the managers of the project, the boards of directors, or the banks.  Your ultimate beneficiaries of the report are not even the grantors.  The ultimate beneficiaries of your work are the low-income children who live in the housing project.

We have to remember, as governmental auditors, that we are checking to see whether tax dollars are being used for their intended purpose and whether the public is being served by our auditee’s efforts.

1.16      A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest. This responsibility is critical when auditing in the government environment. GAGAS embodies the concept of accountability for public resources, which is fundamental to serving the public interest.

We hold our clients to a higher standard of behavior than we do in the commercial sector. While it was OK for AIG to go on a lavish $500,000 spa junket before the US taxpayers bailed them out, it certainly was not OK after the bailout.

Later, we will see that the GAO asks you to report even more bad behaviors than the AICPA does.  If Mr. Hurst wants to put his jet-setting, never-worked-a-day-in–their-life kids on the payroll, more power to him. Auditors in the commercial realm do not have a responsibility to say anything about that. But in the government realm, we call that abuse, and we do have a responsibility to report it.  We’ll discuss more about abuse later.

Five main sections of the ethics section
The ethics discussion is divided into five main principles:

a.   The public interest
b.   Integrity
c.   Objectivity
d.   Proper use of government information, resources, and position
e.    Professional behavior

Let’s discuss each one in turn.

The public interest 
A city auditor once told me that he sees a higher purpose in his work.  It is his job to make sure that the monies collected by the city are turned back to support those who need services and who may not have a voice in the government.  He works on the citizens’ behalf, and because of this higher purpose, he doesn’t care whether he makes his auditees upset with his reports.  Now that is integrity!

1.15      The public interest is defined as the collective well-being of the community of people and entities the auditors serve. Observing integrity, objectivity, and independence in discharging their professional responsibilities assists auditors in meeting the principle of serving the public interest and honoring the public trust. The principle of the public interest is fundamental to the responsibilities of auditors and critical in the government environment.

In my business I transfer in and out of two worlds – the government world and the commercial world – and indeed they are different.

An auditor from the GAO made the distinction between the two by saying that in the commercial world fortunes are made by doing what is not expressly prohibited; in the government world action won’t be taken unless it is expressly permitted.

Commercial entities do not seek transparency.  At the Apple corporate headquarters store, they sell a T-Shirt that says, “I visited the Apple Corporate Offices in Cupertino… and that is all I can say about it.”

But government auditors must shine light in dark places in order to serve their customer, the public.  And taxpayers get very, very upset if even a tiny bit of their hard-earned tax dollars are squandered.

Not long ago, I was helping a government employee retirement system develop a training event. Afterwards, to celebrate our success, we all went out to a first-rate steakhouse in Dallas – you know the type, where you pay $45 for an à la carte steak. We had wine and appetizers, and one guy ordered a $35 brandy. I was very uncomfortable. I thought that if any of their members walked in and recognized them as the folks in charge of their retirement funds, the retirement system would have a lot of explaining to do. The retirees don’t want their money squandered on high living for government employees!

If you work for a corporation, go ahead and enjoy the perks and the luxuries. But when you work for government, don’t be surprised if you can’t even get a cup of coffee!

Integrity & Objectivity
Many seasoned professionals have told me that they believe that auditor independence is an unattainable ideal; an external auditor’s independence is compromised when the auditee writes a check to pay the auditor’s fee and an internal auditor takes a salary from the entity they audit. They argue, that at best, an auditor can provide an objective viewpoint and maintain integrity by making sure that external pressures do not force them to cover up the truth.

Later in this text, when we examine the GAO’s guidance for independence, the concepts of integrity and objectivity introduced here in the ethics chapter are raised again.

Both the integrity and objectivity sections of the ethics chapter of the Yellow Book mention auditor independence and freedom from political or ideological bias.

1.17      Public confidence in government is maintained and strengthened by auditors performing their professional responsibilities with integrity. Integrity includes auditors conducting their work with an attitude that is objective, fact-based, nonpartisan, and nonideological with regard to audited entities and users of the auditors’ reports… 

1.18      … In discharging their professional responsibilities, auditors may encounter conflicting pressures from management of the audited entity, various levels of government, and other likely users. Auditors may also encounter pressures to inappropriately achieve personal or organizational gain. In resolving those conflicts and pressures, acting with integrity means that auditors place priority on their responsibilities to the public interest.

1.19      The credibility of auditing in the government sector is based on auditors’ objectivity in discharging their professional responsibilities. Objectivity includes independence of mind and appearance when providing audits, maintaining an attitude of impartiality, having intellectual honesty, and being free of conflicts of interest…The concepts of objectivity and independence are closely related…

Proper use of government information, resources, and position
A professor at UT Arlington teaches ethics and leadership to government leaders in Romania. He develops case studies for them to ponder each week.

One case study asked the students to discuss the ethical dilemma posed when a mayor used city employees to build a brick barbecue pit in his backyard – clearly an improper use of government resources. The professor didn’t hear back from his students in Romania for a month.

After several Skype conversations, the Romanians finally admitted that they just didn’t understand the ethical issue in the scenario. Using the labor of government employees for personal benefit is one of the perks of being a government leader in Romania! That professor has a lot of work to do!

1.20     Government information, resources, and positions are to be used for official purposes and not inappropriately for the auditor’s personal gain or in a manner contrary to law or detrimental to the legitimate interests of the audited entity or the audit organization. This concept includes the proper handling of sensitive or classified information or resources.

1.23     Misusing the position of an auditor for financial gain or other benefits violates an auditor’s fundamental responsibilities. An auditor’s credibility can be damaged by actions that could be perceived by an objective third party with knowledge of the relevant information as improperly benefiting an auditor’s personal financial interests or those of an immediate or close family member; a general partner; an organization for which the auditor serves as an officer, director, trustee, or employee; or an organization with which the auditor is negotiating concerning future employment.

Professional behavior
Any behavior that could cause someone to question your professionalism can detract from your credibility. And credibility helps sell audit recommendations.

1.24     High expectations for the auditing profession include compliance with all relevant legal, regulatory, and professional obligations and avoidance of any conduct that might bring discredit to auditors’ work, including actions that would cause an objective third party with knowledge of the relevant information to conclude that the auditors’ work was professionally deficient…

Consider the following true scenario (with a few small changes to protect identities): You are the internal audit director of a large city. You recently hired a new auditor fresh out of college and assigned him to conduct a performance audit of your city’s police department.

Everything has been going well until last week when you saw a photo of him in the local newspaper at the city’s Mardi Gras celebration. He was pictured near the top of a street light without his shirt wearing dozens of bead necklaces. The police stood below and appeared to be yelling at him to come down.

You show him the picture and he becomes immediately defensive and tells you that what he does on his own time is none of your business. He reasoned that he had some college buddies in town and it was natural for him to show them a good time.

This standard on professional behavior does not mention that it applies only to an auditor’s work life. But does this auditor’s behavior during his personal time compromise his credibility with the police force? Yes, indeed!  How is he going to face the officers during an exit conference?

To maintain your shop’s professional image, you will probably have to remove this young auditor from the engagement and replace him with another auditor from your shop.

Auditors are paid for our credible, objective, high integrity opinions and conclusions about an audit subject.  And this young man blew all that away with his antics.

Borrowing from the later discussion on independence in chapter 3:

3.04     Auditors and audit organizations maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by reasonable and informed third parties. Auditors should avoid situations that could lead reasonable and informed third parties to conclude that the auditors are not independent and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the audit and reporting on the work.

In our next chapter, we will address the types of audits covered by Yellow Book standards.

Pulling It All Together

What’s the matter with the crowd I’m seeing?
“Don’t you know that they’re out of touch?”
Should I try to be a straight-A student?
“If you are then you think too much.
Don’t you know about the new fashion, honey?
All you need are looks and a whole lot of money?”
It’s the next phase, new wave, dance craze, anyways
It’s still rock and roll to me.
Everybody’s talkin’ ‘bout the new sound
Funny, but it’s still rock and roll to me.
It’s Still Rock and Roll to Me, Billy Joel


  • Sequence the steps of developing an internal control structure

Whew!  You made it. We are in the last chapter! Congrats, you have held on through a long case study and a complicated model.

In this final chapter, we are taking another look at the steps of creating a control structure from scratch which will also serve as a review of this text. I will quote various excerpts from the Green Book as I go.  Also, we will address what happens when auditors visit to evaluate your controls.

Steps of developing controls

As I see it, the steps of developing controls are as follows:

1.Choose a subject matter

Maybe you have been asked to develop controls for a whole organization or just a segment of an organization.  In either case, you will benefit from breaking your subject matter down into smaller more defined segments because it is easier to imagine controls for something specific than to imagine controls for something broad.

For instance, if I asked you to control the University of Michigan, you would probably walk out the door never to come back!  But if I asked you to control student financial aid at the University of Michigan, you would feel better.  If I asked you to set up controls to make sure that student financial aid at the University of Michigan is distributed on time, you’d feel super because that is very doable!

The side of the COSO cube prompts us to break the subject matter down into segments.  In the COSO and Green Book literature, the side of the cube is dubbed the ’levels of organizational structure.’  I think of it instead as ‘what’ you are planning to control.

2. Focus on what is risky

Now that you have broken the organization up into segments, you can hone in on the segments that are the most likely to cause trouble.

Risk assessment is the second control component on the face of COSO model, but it is, in practice, the first component you consider when establishing controls.

For each piece, you ask four questions:

  1. What could go wrong?
  2. So what?
  3. How big of a deal is the ‘so what?’
  4. How likely are things to go wrong?

Here are the terms the Green Book uses for all of these questions:

  1. What could go wrong? The Green Book calls the answer to this question ‘identified risks.’
  2. So what?  The Green Book calls this ‘significance.’
  3. How big a deal is the so what?  The Green Book calls this ‘magnitude.’
  4. How likely are things to go wrong?  The Green book calls this ‘likelihood.’

From the Green Book:

7.05 Management analyzes the identified risks to estimate their significance, which provides a basis for responding to the risks. Significance refers to the effect on achieving a defined objective. 

7.06 Management estimates the significance of the identified risks to assess their effect on achieving the defined objectives at both the entity and transaction levels. Management estimates the significance of a risk by considering the magnitude of impact, likelihood of occurrence, and nature of the risk. Magnitude of impact refers to the likely magnitude of deficiency that could result from the risk and is affected by factors such as the size, pace, and duration of the risk’s impact. Likelihood of occurrence refers to the level of possibility that a risk will occur. The nature of the risk involves factors such as the degree of subjectivity involved with the risk and whether the risk arises from fraud or from complex or unusual transactions. The oversight body may oversee management’s estimates of significance so that risk tolerances have been properly defined. 

3. Decide if you want to tolerate the risk

When you are confronted with a risk, you have four choices of how to handle it:  you can accept it and live with the possible consequences, you can avoid it by not doing the activity, you can mitigate it by layering on controls or you can ask someone else to take on responsibility for it.

If you choose to keep on doing or to tolerate the activity that causes the risk, but you’d rather not suffer from this choice, you will proceed through the rest of the steps laid out here to help you create the controls to mitigate the risk.  Mitigate is a fancy word for ‘reduce.’

From the Green Book:

7.08 Management designs responses to the analyzed risks so that risks are within the defined risk tolerance for the defined objective. Management designs overall risk responses for the analyzed risks based on the significance of the risk and defined risk tolerance. These risk responses may include the following: 

  • Acceptance - No action is taken to respond to the risk based on the insignificance of the risk. 
  • Avoidance - Action is taken to stop the operational process or the part of the operational process causing the risk. 
  • Reduction - Action is taken to reduce the likelihood or magnitude of the risk. 
  • Sharing - Action is taken to transfer or share risks across the entity or with external parties, such as insuring against losses. 
8.06 Management analyzes and responds to identified fraud risks so that they are effectively mitigated. Fraud risks are analyzed through the same risk analysis process performed for all identified risks…

4. Come up with a control objective

In order to focus your efforts and make sure that everyone is clear about what you are working toward, the Green Book recommends you come up with a clear control objective.

The Green Book talks about objectives in two layers.  In one layer, they ask you to consider ‘why’ you want to control something.   Is it because you are concerned about operations, compliance or reporting? The GAO calls these ‘categories of objectives’ and they are listed on the top of the cube.
Description: Macintosh HD:Users:Leita:Dropbox:+TOPICS:controls:coso model picture:Slide1.jpg

OV1.01 Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved (see fig. 2). These objectives and related risks can be broadly classified into one or more of the following three categories: 

  • Operations - Effectiveness and efficiency of operations 
  • Reporting - Reliability of reporting for internal and external use 
  • Compliance - Compliance with applicable laws and regulations 

OV1.02 These are distinct but overlapping categories. A particular objective can fall under more than one category, can address different needs, and may be the direct responsibility of different individuals. 
Operations Objectives 

OV2.19 Operations objectives relate to program operations that achieve an entity’s mission. An entity’s mission may be defined in a strategic plan. Such plans set the goals and objectives for an entity along with the effective and efficient operations necessary to fulfill those objectives. Effective operations produce the intended results from operational processes, while efficient operations do so in a manner that minimizes the waste of resources. 

OV2.20 Management can set, from the objectives, related subobjectives for units within the organizational structure. By linking objectives throughout the entity to the mission, management improves the effectiveness and efficiency of program operations in achieving the mission. 

Reporting Objectives 

OV2.21 Reporting objectives relate to the preparation of reports for use by the entity, its stakeholders, or other external parties. Reporting objectives may be grouped further into the following subcategories: 

  • External financial reporting objectives - Objectives related to the release of the entity’s financial performance in accordance with professional standards, applicable laws and regulations, as well as expectations of stakeholders. 
  • External nonfinancial reporting objectives - Objectives related to the release of nonfinancial information in accordance with appropriate standards, applicable laws and regulations, as well as expectations of stakeholders. 
  • Internal financial reporting objectives and nonfinancial reporting objectives - Objectives related to gathering and communicating information needed by management to support decision making and evaluation of the entity’s performance. 

Compliance Objectives

OV2.22 In the government sector, objectives related to compliance with applicable laws and regulations are very significant. Laws and regulations often prescribe a government entity’s objectives, structure, methods to achieve objectives, and reporting of performance relative to achieving objectives. Management considers objectives in the category of compliance comprehensively for the entity and determines what controls are necessary to design, implement, and operate for the entity to achieve these objectives effectively. 

OV2.23 Management conducts activities in accordance with applicable laws and regulations. As part of specifying compliance objectives, the entity determines which laws and regulations apply to the entity. Management is expected to set objectives that incorporate these requirements. Some entities may set objectives to a higher level of performance than established by laws and regulations. In setting those objectives, management is able to exercise discretion relative to the performance of the entity. 

But later in the book, the GAO drills down into the categories and describes the need for a specific, customized control objective.

6.02 Management defines objectives in specific and measurable terms to enable the design of internal control for related risks. Specific terms are fully and clearly set forth so they can be easily understood. Measurable terms allow for the assessment of performance toward achieving objectives. Objectives are initially set as part of the objective-setting process and then refined as they are incorporated into the internal control system when management uses them to establish the control environment. 

6.03 Management defines objectives in specific terms so they are understood at all levels of the entity. This involves clearly defining what is to be achieved, who is to achieve it, how it will be achieved, and the time frames for achievement. All objectives can be broadly classified into one or more of three categories: operations, reporting, or compliance. Reporting objectives are further categorized as being either internal or external and financial or nonfinancial. Management defines objectives in alignment with the organization’s mission, strategic plan, and performance goals. 

6.04 Management defines objectives in measurable terms so that performance toward achieving those objectives can be assessed. Measurable objectives are generally free of bias and do not require subjective judgments to dominate their measurement. Measurable objectives are also stated in a quantitative or qualitative form that permits reasonably consistent measurement. 

Our objective was, “Do controls deter the coach from using his purchasing card for personal purchases as defined by Grace School District Policy #C7.459?”

5. Compare the baseline to the ideal

Now it is time to talk to managers and find out if there are any existing controls in place.  This will be your baseline of controls.

16.02 Management establishes a baseline to monitor the internal control system. The baseline is the current state of the internal control system compared against management’s design of the internal control system. The baseline represents the difference between the criteria of the design of the internal control system and condition of the internal control system at a specific point in time. In other words, the baseline consists of issues and deficiencies identified in an entity’s internal control system. 

16.03 Once established, management can use the baseline as criteria in evaluating the internal control system and make changes to reduce the difference between the criteria and condition. Management reduces this difference in one of two ways. Management either changes the design of the internal control system to better address the objectives and risks of the entity or improves the operating effectiveness of the internal control system. As part of monitoring, management determines when to revise the baseline to reflect changes in the internal control system. 

Next, you will compare the baseline to the ideal:  the list of 17 principles.  When management has not already addressed a principle with a control or two, then you will need to design a control for that principle.  Remember, in order to judge a control system as effective, all five components and the underlying 17 principles should be in place!

OV3.03 To determine if an internal control system is effective, management assesses the design, implementation, and operating effectiveness of the five components and 17 principles. If a principle or component is not effective, or the components are not operating together in an integrated manner, then an internal control system cannot be effective. 

Appendix I: The 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system. The 17 principle requirements of the Green Book are as follows: 

  1. The oversight body and management should demonstrate a commitment to integrity and ethical values. 
  2. The oversight body should oversee the entity’s internal control system. 
  3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives. 
  4. Management should demonstrate a commitment to recruit, develop, and retain competent individuals. 
  5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities. 
  6. Management should define objectives clearly to enable the identification of risks and define risk tolerances. 
  7. Management should identify, analyze, and respond to risks related to achieving the defined objectives. 
  8. Management should consider the potential for fraud when identifying, analyzing, and responding to risks. 
  9. Management should identify, analyze, and respond to significant changes that could impact the internal control system. 
  10. Management should design control activities to achieve objectives and respond to risks. 
  11. Management should design the entity’s information system and related control activities to achieve objectives and respond to risks. 
  12. Management should implement control activities through policies. 
  13. Management should use quality information to achieve the entity’s objectives. 
  14. Management should internally communicate the necessary quality information to achieve the entity’s objectives. 
  15. Management should externally communicate the necessary quality information to achieve the entity’s objectives. 
  16. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. 
  17. Management should remediate identified internal control deficiencies on a timely basis. 

6. Consider cost 

Before you run out and implement all of the controls you designed in the last step, stop and think about how much each of the controls is going to cost you.  Do you need to invest in technology to make the control work?  Or do you need to beef up your staff?  Also, consider whether the new controls will slow down processes and frustrate employees, suppliers and customers.  Excessive controls are also known as ‘red tape’ and ‘burdensome bureaucracy!’

OV4.07 Management may decide how an entity evaluates the costs versus benefits of various approaches to implementing an effective internal control system. However, cost alone is not an acceptable reason to avoid implementing internal controls. Management is responsible for meeting internal control objectives. The costs versus benefits considerations support management’s ability to effectively design, implement, and operate an internal control system that balances the allocation of resources in relation to the areas of greatest risk, complexity, or other factors relevant to achieving the entity’s objectives. 

7. Does it prevent, detect or correct?

Again, before you proceed with the hard work of implementing the controls you designed, take some time to evaluate whether each control is preventative, corrective, or detective.  Detective controls are nice, but stopping the risk before it happens would be better than cleaning up the mess after it happens. This is especially true when it comes to unacceptable risks such as death and injury.  Make sure you have a good mix of all three types of controls with a preponderance of preventative controls.

8. Document

At this point, you are working with a large volume of information.  Just in case you get a little overwhelmed and forgetful, you’d better write down everything you have worked on so far.  The GAO is pretty firm about documentation:

OV4.08 Documentation is a necessary part of an effective internal control system. The level and nature of documentation vary based on the size of the entity and the complexity of the operational processes the entity performs. Management uses judgment in determining the extent of documentation that is needed. Documentation is required for the effective design, implementation, and operating effectiveness of an entity’s internal control system. The Green Book includes minimum documentation requirements as follows: 

  • If management determines that a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively. (paragraph OV2.06) 
  • Management develops and maintains documentation of its internal control system. (paragraph 3.09) 
  • Management documents in policies the internal control responsibilities of the organization. (paragraph 12.02) 
  • Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues. (paragraph 16.09) 
  • Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis. (paragraph 17.05) 
  • Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis. (paragraph 17.06) 

OV4.09 These requirements represent the minimum level of documentation in an entity’s internal control system. Management exercises judgment in determining what additional documentation may be necessary for an effective internal control system. If management identifies deficiencies in achieving these documentation requirements, the effect of the identified deficiencies is considered as part of management’s summary determination as to whether the related principle is designed, implemented, and operating effectively. 

9. Evaluate the design vs. operation

Once you have organized your thoughts and chosen controls for all five components and the 17 principles, someone has to put them into action.  That could take a while.  As usual, it is best to be patient and thorough instead of agitated and spotty.  Ha.  Agitated and spotty is a great title for a teen romance novel!

The GAO takes pains to mention the difference between the design of a control and the implementation of a control in over a dozen places in the Green Book.  Here are a few quotes:

OV2.13 Internal control is a dynamic, iterative, and integrated process in which components impact the design, implementation, and operating effectiveness of each other. No two entities will have an identical internal control system because of differences in factors such as mission, regulatory environment, strategic plan, entity size, risk tolerance, and information technology, and the judgment needed in responding to these differing factors. 

OV3.05 When evaluating design of internal control, management determines if controls individually and in combination with other controls are capable of achieving an objective and addressing related risks. When evaluating implementation, management determines if the control exists and if the entity has placed the control into operation. A control cannot be effectively implemented if it was not effectively designed. A deficiency in design exists when (1) a control necessary to meet a control objective is missing or (2) an existing control is not properly designed so that even if the control operates as designed, the control objective would not be met. A deficiency in implementation exists when a properly designed control is not implemented correctly in the internal control system. 

10. Evaluate whether you can declare your controls effective!

Sorry to say that your work isn’t done when you finish designing, documenting and implementing controls.  True to the monitoring component of the COSO model, you can’t just set things up and forget them.  You need to come back and evaluate whether everything you have set up is working, correct any unintended consequences of your efforts, improve controls and start the cycle all over again.

OV3.03 To determine if an internal control system is effective, management assesses the design, implementation, and operating effectiveness of the five components and 17 principles. If a principle or component is not effective, or the components are not operating together in an integrated manner, then an internal control system cannot be effective. 

This is a great place to introduce auditors back into our conversation because they may be able to help you ensure that the controls you designed are functioning properly.  That is what we will do in our next newsletter.

Is that your job? More on Control Environment

13 The next day, Moses took his seat to hear the people’s disputes against each other. They waited before him from morning till evening.

14 When Moses’ father-in-law saw all that Moses was doing for the people, he asked, “What are you really accomplishing here? Why are you trying to do all this alone while everyone stands around you from morning till evening?”

15 Moses replied, “Because the people come to me to get a ruling from God. 16 When a dispute arises, they come to me, and I am the one who settles the case between the quarreling parties. I inform the people of God’s decrees and give them his instructions.”

17 “This is not good!” Moses’ father-in-law exclaimed. 18 “You’re going to wear yourself out—and the people, too. This job is too heavy a burden for you to handle all by yourself. 19 Now listen to me, and let me give you a word of advice, and may God be with you. You should continue to be the people’s representative before God, bringing their disputes to him.20 Teach them God’s decrees, and give them his instructions. Show them how to conduct their lives. 21 But select from all the people some capable, honest men who fear God and hate bribes. Appoint them as leaders over groups of one thousand, one hundred, fifty, and ten. 22 They should always be available to solve the people’s common disputes, but have them bring the major cases to you. Let the leaders decide the smaller matters themselves. They will help you carry the load, making the task easier for you. 23 If you follow this advice, and if God commands you to do so, then you will be able to endure the pressures, and all these people will go home in peace.”

24 Moses listened to his father-in-law’s advice and followed his suggestions. 25 He chose capable men from all over Israel and appointed them as leaders over the people. He put them in charge of groups of one thousand, one hundred, fifty, and ten. 26 These men were always available to solve the people’s common disputes. They brought the major cases to Moses, but they took care of the smaller matters themselves.  

In this chapter, we will cover the remaining three principles included in the control environment component of the COSO model:  Principle 3 – structure, responsibility and authority, Principle 4 -competence and Principle 5 – accountability.

Not even Moses, God’s chosen leader, could get it done all on his own.  Taking care of everything for everyone will absolutely wear a person out.

I watched a TV biography on Jim Henson, the creator of the Muppets.   He tried to be involved in every aspect of his business – Sesame Street, an HBO series, the next Muppet movie- even as his team grew to 300 people.  He didn’t take care of himself, contracted a very common illness, and refused to slow down long enough to go to the doctor.  By the time he got to the hospital, it was too late and he died at age 53!

No, most of us don’t work under that kind of pressure, but I have made myself sick trying to do it all several times.  I have learned to delegate and to give those to whom I delegate the authority to act without checking in with me.  My late-found ability to let go allows me to spend time doing what I do best and allows me some space to rest and think.

From the Green Book’s perspective, the reason we have controls is to make sure the entity achieves its objectives.  If an entity unwisely lays too much responsible on one individual, and isn’t intentional about organizing itself and dividing and delegating the work, the Green Book points out that the entity simply won’t get where it wants to be.

3.01 Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives. 

3.06 To achieve the entity’s objectives, management assigns responsibility and delegates authority to key roles throughout the entity….

3.07 Management considers the overall responsibilities assigned to each unit, determines what key roles are needed to fulfill the assigned responsibilities, and establishes the key roles. Those in key roles can further assign responsibility for internal control to roles below them in the organizational structure, but retain ownership for fulfilling the overall responsibilities assigned to the unit. 

That isn’t my job!

One of the deadliest things that someone in customer service can utter is, “That isn’t my job.”  What this person and organization have failed to realize is that I, as a customer, do not give a flying rat’s patootie whose job it is, I just want my product or service with as little hassle as possible.

I recently used my frequent flyer miles on American Airlines to buy tickets on British Airways.  Big mistake.  After two hours of work booking the tickets, I found out that I had no seat assignments.  The next day, I spent another two hours getting seat assignments.  When I would ask American Airlines for help, they would pass me off to British Airways.  When I asked British Airways for help – you guessed it – they passed me off to American Airlines.

After several internet searches, a few password wrestling matches, multiple phone calls and hours of being on hold, I finally found a sympathetic ear.  Everyone else I encountered wanted to pass the responsibility on to someone else or gave me incomplete or erroneous information, but this angel stayed with me until I got the information I needed.

Who are the angels?

After figuring out what needs to be done, you have to put competent people in place to get it done.   Usually, an organization has to invest in its people to enable them to be good at their job.  My angel at American Airlines obviously had years of experience in customer care and knew exactly how to help me cut through all of the red tape and get my seat assignments.  I hope American is investing more in her.

The Green Book is clear that management is responsible for investing in its people and should not expect employees to be ready to work on their first day on the job!

4.01 Management should demonstrate a commitment to recruit, develop, and retain competent individuals. 

4.05 Management recruits, develops, and retains competent personnel to achieve the entity’s objectives. Management considers the following: 

  • Recruit - Conduct procedures to determine whether a particular candidate fits the organizational needs and has the competence for the proposed role. 
  • Train - Enable individuals to develop competencies appropriate for key roles, reinforce standards of conduct, and tailor training based on the needs of the role. 
  • Mentor - Provide guidance on the individual’s performance based on standards of conduct and expectations of competence, align the individual’s skills and expertise with the entity’s objectives, and help personnel adapt to an evolving environment. 
  • Retain - Provide incentives to motivate and reinforce expected levels of performance and desired conduct, including training and credentialing as appropriate. 

I’d love to hold customer service accountable

At the beginning of each call to the airlines, I heard “This call is recorded and may be used for training purposes.”  What I’d love the message to say instead is, “This call is being monitored by someone who will hold these customer care representatives accountable if they send you to the wrong place or give you wrong or incomplete information.”  Wouldn’t it be nice if, at the end of each interaction with a customer care rep, you could evaluate whether they helped you or frustrated you?  Is it just me, or have you noticed that the customer care reps only connect you with the evaluation when they know you are happy?

So how do you hold people accountable?  

When I teach budgeting courses, I discuss how budgets are the translation of an organization’s plan into numbers.  I emphasize that unless an organization identifies when managers are off plan and holds them accountable, a budget just becomes a silly, wasteful, paper-pushing exercise.

Through real life stories told by the participants in my classes and my own work experience, I’ve compiled a list of options organizations can use to hold folks accountable.  Here is a list of some of the options from least stringent to most stringent:

  • Send out a variance report to all managers
  • Require managers to explain variances to the accountant
  • Require managers to explain variances in writing
  • Require managers to explain variances during a staff meeting
  • Require managers to explain variances during a meeting with executives
  • Evaluate budget performance in the manager’s annual performance evaluation
  • Reprimand managers who do not stay on track with the budget
  • Withhold bonuses from managers who stray from the budget
  • Fire managers who dismiss and ignore the budget

Did you think the last one was too extreme?  A mature CFO shared with the class that every time he pushed forward a new initiative on behalf of the executive team, he made sure the executives gave him the ability to fire anyone who did not play along.  He told a story about the executive team wanting to hold managers to a tighter and very unpopular budget.  When one division director rebelled and would not follow the budget, the CFO fired him.  After that, he had no problem keeping the other managers in line.

Here is what the Green Book says about holding people accountable:

5.03 Management holds entity personnel accountable for performing their assigned internal control responsibilities. The oversight body, in turn, holds management accountable as well as the organization as a whole for its internal control responsibilities. 

The flip side of stringency

But the Green Book also acknowledges the negative, flip side of holding folks accountable.  Whatever gets measured gets done – which is a good thing… sort of.  But on the flip side, employees will occasionally do silly and wasteful things to meet expectations.

For example, I audited a manufacturer of computer components in the late 80’s.   At the end of the year, the manufacturing managers received a bonus if their inventory was minimal.  So, on December 30, the managers filled two semi trucks full of inventory and sent the trucks off to an unwitting customer in California.

The shipment was rejected by the customer on January 2 because they hadn’t ordered the components.  The trucks arrived back in Texas, full of inventory, on January 4.

The managers received their bonuses and the year-end records looked good – so on one hand, the manager’s mission was accomplished. But on the other hand, the records were misleading, the customer in California was annoyed, and the manufacturer wasted thousands on the bogus shipment.

From the Green Book:

5.04 If management establishes incentives, management recognizes that such actions can yield unintended consequences and evaluates incentives so that they align with the entity’s standards of conduct. 

5.07 Management adjusts excessive pressures on personnel in the entity. Pressure can appear in an entity because of goals established by management to meet objectives or cyclical demands of various processes performed by the entity, such as year-end financial statement preparation. Excessive pressure can result in personnel “cutting corners” to meet the established goals. 

The Control Environment Component is full of wisdom

The definition of wisdom is: the quality of having experience, knowledge, and good judgment. It is apparent that the creators of the COSO model and the Green Book have been around the block a few times and know the harm poor controls can do.

The control environment component of the COSO model tells us that what leaders do, matters; that oversight bodies have an important role to play in keeping controls strong; that everyone should know their job, be equipped to perform their job, and be held accountable for doing their jobs.

Here is a summary of the control environment component from the introduction to the chapter:

The control environment is the foundation for an internal control system. It provides the discipline and structure, which affect the overall quality of internal control. It influences how objectives are defined and how control activities are structured. The oversight body and management establish and maintain an environment throughout the entity that sets a positive attitude toward internal control. 

1. The oversight body and management should demonstrate a commitment to integrity and ethical values. 
2. The oversight body should oversee the entity’s internal control system. 
3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives. 
4. Management should demonstrate a commitment to recruit, develop, and retain competent individuals. 
5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities. 

Woven into these principles are warnings that our best intentions can go awry:

  • Under the first principle on tone at the top, we are warned that well-designed controls can break down when leaders act badly.
  • Under the second principle on oversight, we are warned that management might not want to fix obvious problems and therefore must be forced to act by an oversight body.
  • Under the fourth principle on competence, we are warned that our best people can leave us, and we’d better have a plan to keep the organization going without them.
  • Under the fifth principle on accountability, we are warned that holding people accountable can result in squirrely behavior that goes against the ultimate objectives of the entity.

What’s next?

In the next chapter, we will collect all of the controls we came up with for our case study, sort them out and then evaluate them for effectiveness and cost.

Chapter 12: Information and Communication

                        Might be a rock n’ roll addict, prancing on the stage

                        Might have money and drugs at your command, women in a cage

                        You may be a business man or some high degree thief

                        They may call you Doctor or they may call you Chief


                        But you’re gonna’ have to serve somebody, yes indeed

                        Your gonna’ have to serve somebody.

                        Well, it may be the devil, or it may be the Lord

                        But you’re gonna’ have to serve somebody.

Bob Dylan, Gotta’ Serve Somebody


My business is minuscule, but that doesn’t exempt me from having to formalize my information processes and comply with reporting requirements of oversight entities.

Every year, I send a detailed report of my CPE offerings to the National Association of State Boards of Accountancy (NASBA).  They want to know how many classes I offered, who taught them, where they were offered and for what group, the date of the classes, and the number of hours granted.

The first year I prepared the report, I suffered.  I had to dig up physical files from earlier in the year and reconstruct all of the data, so I could input it into the report.  Slog!  It took days to put it together, and when I was finished, NASBA sent it back to me because it wasn’t formatted correctly.  Really?  More time, more suffering.

The State of Texas Board of Accountancy requires similar information, but their report has to be handwritten!  Hand… friggin… written… with an ink pen.  That takes a while to complete…

I realized after that first fiasco that I needed to go paperless and track the information I needed throughout the year rather than wait to gather the data at the last minute.  My assistant Chelsea and I have a checklist of all of the documents we must collect after each class, and we maintain a running spreadsheet of the data I am required to report.  All of the information is kept in a Dropbox file that she and I share and update each time I teach.  No more messy paper files.

This year, I only spent a few hours creating both reports!  And on top of that fabulous achievement, I also feel more confident in the information I am reporting because Chelsea and I double-check each other throughout the process.

I also have to report my income to the IRS every year.  When I first started my business, I reasoned that I could keep the books myself because I am a CPA. The only problem is, I do not enjoy bookkeeping.  I waited until the end of the year to force myself to sit down and input transactions into QuickBooks.

As you can imagine, I forgot the purpose of several payments that occurred early in the year and had to SWAG a description of the transactions.  SWAG stands for Sophisticated Wild Ass Guess.   After about five SWAGS, I decided I needed to stop the madness and hired a real bookkeeper, Carol, who keeps contemporary information on my business.  Carol sends me up-to-date financials every Monday, and when it is time to report to the IRS, all the transactions are there, ready to report.  No SWAGs necessary.

I have learned the hard way that thinking of the info you need to accumulate and share in advance is better than trying to gather it – and guess at it – months or even a year later.

The Green Book is Out to Save You from Suffering

The authors of the COSO model and Green Book must have gone through similar experiences.  So, they advise us to think ahead about the information that needs to be shared and to make sure the data shared is valid.

In the chapter on Information and Communication they ask us to apply three principles:

13. Management should use quality information to achieve the entity’s objectives.

14. Management should internally communicate the necessary quality information to achieve the entity’s objectives.

15. Management should externally communicate the necessary quality information to achieve the entity’s objectives.

Principle #13 – no SWAGs

Auditors are trained to never take anyone’s word on anything.  Auditors are trained to seek convincing evidence and not base any conclusions on testimony.  Because both of my above reports could be audited, I am prepared to back up all of my data with original documents!  For instance, the information I send to NASBA about the classes I offer is backed up with sign-in sheets from attendees.  And the transactions in my accounting records are backed up with receipts and bank statements.

The first principle under the Information and Communication component advises us to put controls in place to make sure all of the information in the reports is valid and backed up with evidence.  Three attributes apply to this principle:

13.01 Management should use quality information to achieve the entity’s objectives.


The following attributes contribute to the design, implementation, and operating effectiveness of this principle:

  • Identification of Information Requirements
  • Relevant Data from Reliable Sources
  • Data Processed into Quality Information

Attribute 1: Figure out who wants the information and what information they need

This attribute asks “Who cares about whether your work succeeds or whether your controls are functioning?”  Our case study objective, is Do controls prevent the coach from using his purchasing card for personal purchases as defined by Grace School District Policy #C7.459?   I imagine that the following folks will care if the coach is making personal purchases:

  • The director of the athletic department
  • The executive team of the school
  • The school board
  • The citizens of the school district

Once we have a sense of who we will be sharing information with, we need to find out what they want to know.  We can inquire of the stakeholders directly, or we can make some assumptions about what they need. Knowing what they want rather than guessing what they want is best because the frequency and accuracy of information costs time and money; it is a waste of resources to generate and report information they don’t need.

Section 13.03 says that the process of identifying what stakeholders need is an iterative process… in other words, you will have to redesign the content of your reports several times before you hit on content that is meaningful to the stakeholders.

Here is what the Green Book has to say about this attribute.

Identification of Information Requirements

13.02 Management designs a process that uses the entity’s objectives and related risks to identify the information requirements needed to achieve the objectives and address the risks. Information requirements consider the expectations of both internal and external users. Management defines the identified information requirements at the relevant level and requisite specificity for appropriate personnel.

13.03 Management identifies information requirements in an iterative and ongoing process that occurs throughout an effective internal control system. As change in the entity and its objectives and risks occurs, management changes information requirements as needed to meet these modified objectives and address these modified risks.

Attribute #2: Who you get the information from matters

It is always preferable to get your evidence – or the back-up for your reports – from objective third parties.  So, instead of asking the coach to describe his own transactions, source your information from the credit card statement.  The credit card company has no reason to disguise the purpose of purchases, but the coach does.  If any transaction looks iffy, you could ask for original receipts from the coach.

From the Green Book:

Relevant Data from Reliable Sources

13.04 Management obtains relevant data from reliable internal and external sources in a timely manner based on the identified information requirements. Relevant data have a logical connection with, or bearing upon, the identified information requirements. Reliable internal and external sources provide data that are reasonably free from error and bias and faithfully represent what they purport to represent. Management evaluates both internal and external sources of data for reliability. Sources of data can be operational, financial, or compliance related. Management obtains data on a timely basis so that they can be used for effective monitoring.

Attribute #3: Don’t let anyone doctor the report before it is published

The last attribute addresses how the evidence is processed.  The true financial results for Enron, which were created from reliable and relevant evidence by the Enron accounting department, didn’t look that attractive, so the Enron executives made a few fraudulent changes to the reports before they were published.  Obviously, we don’t want to allow bogus changes to our reports in order to make the results look more acceptable.

This is what the Green Book has to say about processing data.

Data Processed into Quality Information

13.05 Management processes the obtained data into quality information that supports the internal control system. This involves processing data into information and then evaluating the processed information so that it is quality information. Quality information meets the identified information requirements when relevant data from reliable sources are used. Quality information is appropriate, current, complete, accurate, accessible, and provided on a timely basis. Management considers these characteristics as well as the information processing objectives in evaluating processed information and makes revisions when necessary so that the information is quality information.  Management uses the quality information to make informed decisions and evaluate the entity’s performance in achieving key objectives and addressing risks.

13.06 Management processes relevant data from reliable sources into quality information within the entity’s information system. An information system is the people, processes, data, and technology that management organizes to obtain, communicate, or dispose of information.

Answering Who, What, When, Where & How

So, now that the Green Book has prompted you to answer the who and what questions –who you need to communicate with and what information they need –  principles 14 & 15 prompt us to answer the when, where, and how questions.

The content of principle  14 & 15 are very similar.  Principle 14 focuses on internal reporting and principle 15 focuses on external reporting.  Both ask that we consider:

  • Audience - The intended recipients of the communication
  • Nature of information - The purpose and type of information being communicated
  • Availability - Information readily available to the audience when needed
  • Cost - The resources used to communicate the information
  • Legal or regulatory requirements - Requirements in laws and regulations that may impact communication

A report for our case study

Let’s make up a report for our case study example.  Remember our control objective is:

Do controls prevent the coach from using his purchasing card for personal purchases as defined by Grace School District Policy #C7.459? 

Thinking through each of the prompts given in section 14.07 and 15.07:


The intended recipients of the communication

The school board and the public.

Nature of information

The purpose and type of information being communicated

This report will contain a bar graphic for each user of the purchasing card and will look something like this:


It will also include a detailed list of transactions for each cardholder that will include the date of the transaction, the vendor, the amount of the purchase, and the items purchased.


Information readily available to the audience when needed

The board will receive the report every month via email and the report will be available to the public on the school’s website after the board has reviewed it.


The resources used to communicate the information

Accounting has the transaction information readily available in the general ledger, but it is not separated by user.  So, the initial cost to set up individual accounts for each user will require some customization of the accounting software.  But, once it is set up, the report should only take an accountant an hour to create and email to the board.  The webmaster will have to post the report to the site, and that should take about 30 minutes.

Legal or regulatory requirements

Requirements in laws and regulations that may impact communication

This report will not help satisfy any regulatory requirements imposed by the state or federal government. However, the Comptroller of the State will award us a ‘Transparency’ award and will feature our report on their website if we meet their award criteria.

Information and Communication is the most straightforward component

The information and communication component of the COSO model/Green Book advises us to make sure that the information we share is valid and communicated in a manner that is helpful to stakeholders.  In my opinion, it is the most straightforward and clear component of the COSO model/Green Book.

So far, we have covered three components of the COSO model/Green Book – the risk assessment component, the control activities component and the information and communication component.  In the next chapter, we will cover the monitoring component.

My comments to the GAO on the 2017 exposure draft of GAGAS

Here is the short response that I sent to the GAO on the 2017 exposure draft of GAGAS.  The deadline for comments is July 6.  Please send your comments to



Thank you for giving the audit community a chance to comment.  I am in the relatively unique position of having the privilege to work with teams using every chapter of the Yellow Book.  I work with CPA firms who apply the financial audit standards in the conduct of the Single Audit, internal audit shops and monitors in government who follow the performance audit standards, and legislative auditors who apply both financial and performance standards.  I also work with shops that don’t want to hear anything about the Yellow Book at all (!) and instead follow only IIA or AICPA standards.

Here are a half-a-dozen items I ask you to consider for the finalized 2017 revision:

1. Disclose all auditor responsibilities and the corresponding results and conclusions in the audit report

Please require auditors to include a more direct statement regarding the auditor’s responsibilities for all five reportable conditions in the audit report as well as the auditor’s results or conclusions regarding those responsibilities. 

In the proposed revision, an auditor is responsible for five reportable conditions – fraud, internal control weaknesses, non-compliance, waste, and abuse – but per the reporting standards the auditor need only describe their responsibilities regarding two of these conditions – internal control and compliance – to the reader of the audit report.  The reporting requirements have not evolved along with the audit standards to include statements regarding fraud, waste and abuse.

The AICPA’s canned audit reports regarding internal controls and compliance are opaque and user-unfriendly.  I know that you do not have the power to revise these letters, but I also know that you can influence the content of the AICPA’s letters and encourage clarity and transparency in all auditors’ reports if you decide to alter the required disclosures.

2. Revive the report quality elements
Please revive the ‘report quality elements’ listed in the 2011 version of the Yellow Book at A7.02.  I use the report quality elements quite a bit in my teaching – especially the guidance reminding auditors about timeliness and conciseness.

3. Revive the clear reference to the Single Audit
The 2007 version of the Yellow Book contained a clear reference to the Single Audit that was removed in the 2011 version.  Will you please add it back so there is no doubt that the Single Audit is classified as a financial audit?  It was in section 1.22(b) of the 2007 version and said “(5) auditing compliance with regulations relating to federal award expenditures and other governmental financial assistance in conjunction with or as a by- product of a financial statement audit. “

4. Define the term ‘performance aspect’ and remind auditors of the danger of vague performance aspects
Would you please define the term ‘performance aspects’? Section 8.08 mentions ‘performance aspects’ but does not define the term. The International Standards for Supreme Audit Organizations defines the term ‘performance aspect”, but most auditors I work with are unaware of those standards.

It would be very helpful if you would go on to remind auditors that the terms effectiveefficient and economical are very general and vague and that the auditor would benefit from using a more specific performance aspect in their objective – such as timeliness or accuracy.  I have witnessed countless audit teams suffering from scope creep and messy audit reports when they include the words efficient and effective in their audit objectives.

5. Simplify the peer review requirements
Please simplify and shorten the peer review requirements by including only the minimum requirements at the “Requirements for Audit Organizations Not Affiliated with Recognized Organizations” in paragraphs 5.80 through 5.113.   By mentioning specific organization’s peer review programs in section 5.64, you are creating more work for yourself and the audit community because now you will need to approve these organization’s approaches each time you revise the Yellow Book.  You will also have to screen other organization’s systems before inclusion in the Yellow Book. This can easily become political and bureaucratic and can be completely avoided by mentioning the minimum requirements only.

6. Revise an awkward sentence
This sentence is a bit convoluted:
6.20 Auditors should consider potential internal control deficiencies in their evaluation of identified findings when developing the cause element of the identified findings when significant to the audit objectives.
Maybe just say - Auditors should consider whether an internal control deficiency is the cause for identified findings.

Thank you again for the chance to comment, and thank you for working to make the Yellow Book the most comprehensive and clear audit standard in existence today.


Fraud Risk per the GAO’s Green Book

Just because you’re unaware of the risk, doesn’t mean it isn’t there

Just because you aren’t conscious of something dangerous, doesn’t mean it isn’t lurking.   One of the most important themes of the GAO’s Green Book (and the 2013 COSO model it is sourced from) is consciousness.  Instead of just playing along with the crowd without regard to the risk, the Green Book encourages you to become conscious of risk, imagine the worst, and then plan to prevent it.

Do you think that people in the 1940’s had a sneaking suspicion that smoking was unhealthy?  Or do you think their desire to be glamorous like all those smoldering (forgive the pun) Hollywood movie stars overrode their common sense?

And in the 70’s my mom and dad slathered themselves with olive oil and lay in the sun to get a reddish brown ‘tan’.  Coppertone products promised to magnify the power of the sun.  Now my dad gets skin cancer removed from his face, arms, and hands every six months or so.

Everybody went nuts buying non-stick cookware in the 80’s only to find out that the Teflon emits dangerous gasses into your food when heated.  In the 90’s we all started drinking bottled water with no concern for the environmental impact, and in the 2000’s we went ‘wireless’ and may be exposing our brains to harmful radio waves.  Lately, we all have to concede that if we transact with the world at all, our personal data is out there and available to criminals in Russia.

I am thinking of that classic parental line here, “If your crazy friend Carl jumped off a bridge, would you do it to?”  Going along with the crowd can be dangerous.

Sometimes you can pre-empt negative consequences

It is all very nice to look back in hindsight and realize that you shouldn’t have followed the crowd and jumped off that bridge.  But sometimes, you can work ahead of a problem to prevent bad results.

For instance, I opened a new business account at a bank recently.  And I know that it is dangerous to give my bank account number to folks who are making deposits into my account and/or who have the power to withdraw money from my account.  But I put the risk out of my mind because I didn’t think I could do anything about it.

Hand me the Coppertone, I’ll play along!  My thinking was, “That’s how business is done and I want to play.”

But my new bank has thought about this risk and offered me not one, but two checking accounts.  I can share one checking account number with vendors and customers who are coming in and out of my account and the other account – where the bulk of my money is – is accessible and known only to me and my bookkeeper.  Nice.

Fraud is real but it isn’t entirely unavoidable

The Certified Fraud Examiners estimate that 5% of an organization’s annual revenue is lost to fraud.

And although the Certified Fraud Examiners don’t say it outright, they are implying that most organizations suffer fraud.   If an organization grows to over 100 employees, someone is probably doing something squirrely.

I spent a year writing a self-study book on Fraud for Government Auditors.  Unfortunately, I wrote it in 2008 as our economy was crashing.   As I wrote, I became hyper-aware of bad behavior and fraud everywhere I went.  It was exhausting and disheartening to see fraud every time I left the house or read the news, so 8 years later, I have turned the consciousness dial down quite a bit and become mostly numb to it once more. There is only so much moral outrage you can muster day after day after day.

The Green Book asks the leaders of the organization to think about fraud before it happens.  It is asking them, for at least a few days while they prepare a risk assessment, to muster some moral outrage before the organization actually suffers fraud so that they can plan around it, just like my new bank.

Fraud risk specifically

So in our last chapter, we discussed inherent risk in general and how the Green Book encourages us to think about the risk of death, injury, shame, loss of money or non-achievement of goals.

Now, we are going to focus on fraud risk specifically.  Fraud can cause injury, shame, loss of money, or non-achievement of goals.  But occupational fraud, the fraud discussed in the Green Book, is not likely to cause death.

The GAO dedicates a good portion of the chapter in the Green Book on risk assessment to assessing fraud risk.

Principle 8 states: 8.01: Management should consider the potential for fraud when identifying, analyzing, and responding to risks. 

Luckily, the GAO’s green book doesn’t stop there, but instead, shares several models that will help us be more conscious of fraud as we are assessing fraud risk: the fraud tree and the fraud triangle. We are going to discuss each in turn.

Like a good spiritual guide, the fraud tree and fraud triangle enhance consciousness

Both the fraud tree and the fraud triangle have helped me see fraud where I didn’t see it before.  And once your consciousness has been raised, you see new things everywhere.

You may have experienced this with your car.  I am the happy owner of a plain white Lexus sedan.  Before I owned a Lexus, I was oblivious to how many were on the road. Now I see them everywhere.  You remember that weird movie called The Sixth Sense… where the lead declares “I see dead people!”?  I see Lexi.

A broad overview of the fraud tree

As a supplement to this article, I am also going to publish a series of chapters from my book on fraud so you can get to know the fraud tree in more detail.  Be looking for those over the next few weeks. But in this short article, we are just going to do a broad overview of the fraud tree.

So don’t read any of those newsletters or read the rest of this newsletter unless you want to see fraud everywhere.


A fraud investigator once told me, fraud is lyin’, cheat’n, and steal’n.  But the Certified Fraud examiners are more formal about classifying fraud and use much better grammar.  The Certified Fraud Examiners came up with a whole taxonomy of occupational fraud which they dubbed the ‘fraud tree.’  If you are having a hard time reading the graphic below, visit the Certified Fraud Examiners page at for a clearer graphic.

Fraud Tree

The fraud tree divides fraud into three categories:


Misappropriation of assets

Fraudulent reporting

Corruption includes bribery and extortion – which are flip sides of the same coin.  When a person without power pays a person in power for a favor, it is a bribe. When a person in power demands payment from someone who needs a favor, it is extortion.

A contractor with a Texas county told me that he and all of the other contractors knew that in order to win contracts, they would have to give expensive gifts to the county purchaser. Whenever requests for proposals were discussed with contractors, the purchaser would mention things he needed for his house – like a new grill or a lawnmower.  The contractors knew that whoever was first to buy the grill or lawnmower would win the contract. Eventually, the purchaser’s requests became more extravagant and frequent. The contractors had to take turns bidding on contracts, so they could distribute the extra expense more evenly among them.

Corruption also includes illegal gratuities.  An illegal gratuity is when you reward or pay someone in advance in hope of future favor. This is the way the US Congress works. Corporations and lobbyists support campaigns and slather favors on Congressmen in hopes that the Congressman’s decisions on future legislation will be favorable to them.

The last category in corruption is conflict of interest.  This is a wide category of bad behaviors where favors are granted to friends and family.  My friend has recently been elected treasurer of her homeowner’s association.  She has already found out that the chairman of the board is awarding work to companies that his daughters own.  My friend suspects, but cannot prove yet, that the chairman owns the companies and that the daughters are owners on paper only.

The second branch of the tree is misappropriation of assets. Misappropriation of assets is when cash or other assets of the organization are stolen or misused.  Notice that the fraud tree has two main branches under misappropriation of assets – 1. cash and 2. inventory and other assets.


Cash can be stolen in three ways; cash can be taken after it has been captured in the accounting records (larceny), or before it hits the accounting records (skimming), or it can be disbursed in what looks like legitimate transactions for illegitimate purposes, like payments to fake (ghost) emplo

yees or fake (shell) companies.  As you can tell from the tree, cash misappropriation includes a wide variety of creative categories for fraudsters to choose from.

Other assets, like inventory and fixed assets can be stolen or misused.  The mail clerk in a state agency I worked for was using the state’s van on weekends to deliver pizzas!

And the last category is fraudulent statements.  We are all aware of the infamous financial statement fraud scandals at Enron and WorldCom that wreaked havoc on our national economy.  But we might not be as well acquainted with non-financial statement fraud.  A false claim or statement for personal gain falls into this category.  Fifty-eight percent of hiring managers said they’ve caught a lie on a resume per a Career Builder Survey concluded in 2014.  And many governments use performance measures to convince grantors and the citizenry that they are doing a good job handling public resources. But as you can imagine, sometimes these performance measures are altered, manipulated, or even completely made up.

One of my favorite stories about fraudulent performance measures is about the Public Works Department in the City of San Deigo. Their Public Works Department said they filled potholes within a week, when the truth is most potholes took months to repair.  When asked about the discrepancy, the Public Works Department said that their definition of repaired does not meet most people’s definition of repaired.  Tricky?  Yes.  Fraudulent?  I’d say so because the managers in the Public Works Department benefited from exaggerating the Department’s effectiveness.  See the amusing article about this fraud here:

When I audited performance measures at a state department of criminal justice (the state prison system), I found that most measures were pulled directly out of the sky.  They were estimates that made the department look good, not measures of real results.

If you were reading closely, you might have noticed a small difference in wording

I don’t really know why the GAO and the COSO model chose to leave out non-financial statement fraud from their literature, but they did.  Here is the quote referring to the fraud tree in the Green Book:

Green Book 8.02 Management considers the types of fraud that can occur within the entity to provide a basis for identifying fraud risks.  Types of fraud are as follows:

  • Fraudulent financial reporting - Intentional misstatements or omissions of amounts or disclosures in financial statements to deceive financial statement users. This could include intentional alteration of accounting records, misrepresentation of transactions, or intentional misapplication of accounting principles.
  • Misappropriation of assets - Theft of an entity’s assets. This could include theft of property, embezzlement of receipts, or fraudulent payments.
  • Corruption - Bribery and other illegal acts.

See how the Green Book doesn’t talk about fraudulent statements in general but fraudulent financial statements only.

If you are an aficionado of SAS 99 (now AU 316), the AICPA’s guidance on an auditor’s responsibility for detecting fraud, you may recognize that the AICPA focuses their discussion of fraud on fraudulent financial statement reporting only.  This makes sense because the AICPA is clear about its audit objective – to opine on whether the financial statements are created in accordance with an accounting standard (usually GAAP).  But the Green Book – because it covers an entire organization, should include all components of the fraud tree.

If you know the reason for this, please share.  Otherwise, I am going to say it is a flaw of the Green Book until someone can convince me otherwise.

Next time, we will discuss the fraud triangle and do an example fraud risk assessment.

Stay Up-To-Date

Sign up here to have the lastest from delivered right to your inbox.

Just provide your name and email information below, and as an introductory “Thank You”, you’ll be able to view and download a free copy of our Audit Objectives whitepaper.

* indicates required

Stay Up-To-Date

Sign up here to have the latest from delivered right to your inbox.

Just provide your name and email information below, and as an introductory “Thank You”, you’ll be able to view and download a free copy of our Audit Objectives whitepaper.

[newsletters_subscribe list="20"]



Lost your password?