Best Practices

Internal Control and Management Involvement

GFOA recommends that financial officers obtain the information and education needed to meaningfully take responsibility for internal control.

Finance officers, as public officials are obligated to exercise prudence and integrity in the management of funds in their custody and in all financial transactions, and must not knowingly sign, subscribe to, or permit the issuance of any statement or report which contains any misstatement or which omits any material fact. These and other responsibilities are inherent in GFOA’s Code of Ethics. The ability of finance officers to meet these obligations requires a sound framework of internal control. Specifically,

  • Prudence in the management of public funds requires that there be adequate control procedures in place to protect those funds, and
  • A sound framework of internal control is necessary to afford a reasonable basis for finance officers to assert that the information they provide can be relied upon.

While a government’s independent auditors and similar outside parties often can provide valuable assistance to management in meeting its internal-control-related responsibilities, their contribution can never be a substitute for management’s direct and informed involvement with internal control.

Ultimately, it is the responsibility of elected officials to ensure that the managers who report to them fulfill their responsibilities in implementing and maintaining a sound and comprehensive framework of internal control.

In particular, they should obtain a sound understanding of the essential components of a comprehensive framework of internal control as set forth by the Council of Sponsoring Organizations (COSO) of the Treadway Commission on Fraudulent Financial Reporting in the publication Internal Controls Integrated Framework.[1] Management should ensure that all employees receive the information and education on internal control practices that they need to fulfill their particular responsibilities.

GFOA also recommends that internal control procedures over financial management be documented.

  • Documented internal control procedures should include some practical means for staff at all levels of the organization to report instances of management override of controls that could be indicative of fraud, waste or abuse.

GFOA further recommends that finance officers, with the assistance of internal auditors or equivalent personnel as needed, periodically evaluate relevant internal control procedures to satisfy themselves that those procedures are:

  1. Are adequately designed to achieve their intended purpose,
  2. Have actually been implemented, and
  3. Continue to function as designed

Evaluations should also encompass the effectiveness and timeliness of the government’s response to identified control weaknesses and the remediation of those internal control weaknesses (e.g., resolution of items in exception reports).

The effectiveness of the internal control procedures needs to be reassessed periodically. Moreover, there should be a mechanism in place to identify changes in business processes, to evaluate the resulting need for changes to controls, and to promptly make those changes when necessary. Following each periodic reassessment or modification, a new baseline of effectiveness needs to be established as a basis for subsequent monitoring.

In addition, GFOA recommends that upon completion of any evaluation of internal control procedures finance officers determine what specific actions are necessary to remedy the root cause of any disclosed weaknesses. A corrective action plan with an appropriate timetable should be adopted. There should be follow-up on the corrective action plan to ensure that it has been fully implemented on a timely basis.


  1. This information is specifically adapted to the needs of state and local governments in GFOA’s publication Evaluating Internal Controls: A Local Government Manager’s Guide. An additional source of information about COSO directly applicable to governments is Standards for Internal Control in the Federal Government, commonly referred to as “The Green Book.”
  2. See GFOA’s recommended practice on Policies and Procedures Documentation (2021).
  3. See GFOA’s recommended practice on Whistleblowing (2021).
  4. See GFOA’s recommended practice on Internal Audit Function (2020) government’s response to indications of potential control weaknesses generated by internal control procedures.
  5. It normally would not be practical for financial managers to attempt to undertake a thorough evaluation of all of their internal controls in a single year. Therefore, it is appropriate that financial managers assess their risk profiles and prioritize their review of internal control cycles based on their assessed risk profiles.

This best practice was previously titled Getting Management Involved with Internal Control.

  • Committees: Accounting, Auditing, and Financial Reporting (AAFRC)
  • Board approval date: Thursday, September 1, 2022