Best Practices

Internal Control and Management Involvement

Governments should obtain the information and training needed to meaningfully take responsibility for internal control.

GFOA’s Code of Professional Ethics requires finance officers, as part of their responsibility as public officials, to “exercise prudence and integrity in the management of funds in their custody and in all financial transactions.” GFOA’s Code of Professional Ethics also requires of finance officers in connection with the issuance and management of information that they “not knowingly sign, subscribe to, or permit the issuance of any statement or report which contains any misstatement or which omits any material fact.” Both provisions presume the existence of a sound framework of internal control:

  • Prudence in the management of public funds requires that there be adequate control procedures in place to protect those funds.
  • A sound framework of internal control is necessary to afford a reasonable basis for finance officers to assert that the information they provide can be relied upon.

 While a government’s independent auditors and similar outside parties often can provide valuable assistance to management in meeting its internal-control-related responsibilities, their contribution can never be a substitute for management’s direct and informed involvement with internal control.

Ultimately, it is the responsibility of appropriate elected officials to ensure that the managers who report to them fulfill their responsibilities in implementing and maintaining a sound and comprehensive framework of internal control.

GFOA recommends that financial managers obtain the information and training needed to meaningfully take responsibility for internal control. In particular, they should obtain a sound understanding of the essential components of a comprehensive framework of internal control as set forth by the Council of Sponsoring Organizations (COSO) of the Treadway Commission on Fraudulent Financial Reporting in the publication Internal Controls—Integrated Framework.1 They also should ensure that all employees responsible in any way for internal control receive the information and training they need to fulfill their particular responsibilities.

GFOA also recommends that internal control procedures over financial management be documented.2

Documented internal control procedures should include some practical means for lower level employees to report instances of management override of controls that could be indicative of fraud.3

GFOA further recommends that financial managers, with the assistance of internal auditors4 or equivalent personnel as needed, periodically evaluate relevant internal control procedures to satisfy themselves that those procedures 1) are adequately designed to achieve their intended purpose, 2) have actually been implemented, and 3) continue to function as designed.

Evaluations should also encompass the effectiveness and timeliness of the government’s response to indications of potential control weaknesses generated by internal control procedures(e.g., resolution of items in exception reports).5

The determination of whether controls have been implemented necessarily involves establishing their initial effectiveness as a baseline for future monitoring. Effectiveness then needs to be reassessed periodically. Moreover, there should be a process in place to 1) identify changes, either in what is being controlled or in the controls themselves and 2) make appropriate modifications. Following each periodic reassessment or modification a new baseline of effectiveness needs to be established as a basis for subsequent monitoring.

In addition, GFOA recommends that upon completion of any evaluation of internal control procedures financial managers determine what specific actions are necessary to remedy the root case of any disclosed weaknesses. A corrective action plan with an appropriate timetable should be adopted. There should be follow-up on the corrective action plan to ensure that it has been fully implemented on a timely basis.


1This information is specifically adapted to the needs of state and local governments in GFOA’s publication Evaluating Internal Controls: A Local Government Manager’s Guide.
2See GFOA’s recommended practice on Documenting Accounting Policies and Procedures (2002).
3See GFOA’s recommended practice on Encouraging and Facilitating the Reporting of Fraud and Questionable Accounting and Auditing Practices (2007).
4See GFOA’s recommended practice on Establishing an Internal Audit Function (1997) government’s response to indications of potential control weaknesses generated by internal control procedures.
5It normally would not be practical for financial managers to attempt to undertake a thorough evaluation of all of their internal control procedures in a single year. Therefore, it is appropriate that financial managers evaluate their various control cycles on a cyclical basis.

This best practice was previously titled Getting Management Involved with Internal Control.

  • Board approval date: Friday, October 31, 2008