In this episode of THE SAMPLE, Leita Hart-Fanta, CPA answers the question, “What Are the Principles of Internal Control?” The COSO organization broke the 5 components of internal control into 17 underlying principles. And if you are following the GAO’s Yellow Book standards for performance auditors, you should use the 17 principles to evaluate controls and disclose which principles you used in your audit report.
Welcome to The Sample, a quick discussion of auditing concepts and terms that will help you do your work. Conducting an audit in accordance with auditing standards is no small feat and I want to support you. We’ll be referring to the GAO, IIA and AICPA literature to bolster our conversations. Let’s get started.
Transcript
In this episode we answer the question, “What are the principles of internal control?” Principles: these things on the face of this cube are called components. Now we could have settled there as a profession and just stopped with that, a five pronged face on the cube, but no.
The COSO Organization (they’re the creators or that cube), recognizing that the cube is a little hard to work with. They published it in 1992 initially. In 2013, they said, “Let’s reorganize this thing, make it easier to work with,” and indeed they did by breaking down those five components on the face into 17 underlying principles.
Then they took those 17 principles and broke them down yet again into attributes. So instead of the original COSO model, which was long paragraphs, long narrative, the COSO organization took that same narrative, rejiggered it, and then broke it into pieces.
The GAO, who has responsibility for setting internal control standards for the federal government copied the COSO model and put it into this thing called the Green Book. Now I am going to show you the Green Book, because I don’t want to access the COSO model because it costs several hundred dollars to get a copy. This is free. All you have to do is just Google, “GAO Green Book.” This will pop up for free. And I just want to show you that relationship of the principles and the components.
So components are the five things on the face, and principles are more detail on those components. Here is a master list of the five components that were on the face (control environment, risk assessment, blah, blah) and then the 17 underlying principles. Let me show you what that looks like in a chapter. Scroll down just a little bit to get to the first chapter. Here we’re talking about control environment. Here they define control environment. Here they lay out the principles. There’s five principles under control environment. Then they take each principle and break it into attributes. See, the first attribute here is “Tone at the top.” There’s “Tone at the top.”
So it’s just giving us more granularity. Now that’s a plus for clarity, but it also becomes tricky if you’re documenting internal controls. You might be a manager documenting internal controls. Maybe you’re at the federal government level. Instead of just asking you to document your controls using the five components, you’re now being asked to also use the 17 principles. For auditors, this is a requirement out of the GAO’s Yellow Book.
The GAO, for performance auditors, is mentioning both the components and the principles throughout the performance audit standards, so we don’t get to just use the components (the five) anymore, we also have to take into account the 17 in our documentation, but also in our reporting.
That wraps it up for another episode of The Sample. True to the nature of a sample, we didn’t talk about everything, so you’ve probably got questions. Write to me at leita@yellowbook-cpe.com and I’ll do my best to fill in the blanks. Thanks for playing.
For More Info:
The GAO Green Book: Standards for Internal Control
The GAO’s Green Book: Internal Controls
Internal Control Workshop: Live & Customized
Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: