How to do a Green Book assessment of your internal controls

Your questions answered

At a time when state and local governments are being asked to do more with less, management may consider the task of assessing and upgrading internal controls to comply with federal guidelines as an administrative headache.

But as we noted in a recent thought leadership piece, Internal controls: Leading Practices for State and Local Government Organizations, using the Green Book as a framework for internal controls has become a leading practice. Indeed, an assessment and monitoring of your controls can be a valuable opportunity to identify:

  • Enhance enterprise risk management efforts
  • Redundant or out-of-date practices that can be streamlined
  • Areas for use of innovative technologies, including the use of
    intelligent automation for routine tasks
  • Leading practices that can be migrated across the organization
  • Enhance accountability and transparency of the use of taxpayer funds.

Organizations that have adopted the Green Book, and those considering making the commitment to the leading practice, encounter some of the same questions to implementation, such as how to go about the process. Participants in our recent Webcast on Green Book implementation had a number of questions on that subject, and following, we provide some answers.

Must all 17 principles included in the Green Book be in place to have an effective control system?

Yes. The effectiveness of an internal control system depends on the effective implementation of each of the 17 principles that make up the Green Book’s 5 components of internal control—Control Environment (Principles 1–5), Risk Assessment (6–9), Control Activities (10–12), Information and Communication (13–15), and Monitoring (16–17).

In short, the 17 principles work together to create an effective control system.A lack of one of the principles can significantly affect the system as a whole. Example scenarios and potential impacts are outlined below.

  • If an organization lacks the principles of control environment (foundation of an internal control system), the best-designed process controls may not likely be executed effectively.
  • If an organization lacks the principles of risk assessment, the focus of the internal controls may not be on the areas that need to be controlled, reducing the cost effectiveness of efforts, and leaving other risk areas vulnerable.
  • If an organization lacks the principles of control activities (policies and procedures), the organization may not operate effectively to respond to risks and meet business objectives.
  • If an organization does not effectively manage information and communication regarding controls and processes, personnel may not know the expectations of the control, and how to execute them.
  • Lastly, if an organization does not perform monitoring activities
     and follow-up on controls (assess quality over time, including issue resolution), employees can lose sight of control objectives and controls may not be effective or relevant.

As a result of the new Uniform Guidance, many state and local governments are now assessing their controls — both as a better practice for managing risk as well as an opportunity to rethink how they run their operations. They are using the Green Book framework to help them identify new opportunities and to evolve their organizations. KPMG has helped many organizations find value when performing a controls evaluation.

Find out more by downloading the PDF below.