Best Practices

Internal Control Environment

GFOA recommends that governments demonstrate a commitment to the COSO framework, assume responsibility for overseeing internal control, develop organizational structures and accountability, commit to attracting and retaining competent employees, and hold individuals accountable.

In its Internal Control Framework best practice, GFOA recommends that state, provincial, and local governments adopt the Committee of Sponsoring Organizations’ (COSO) Internal Control—Integrated Framework (2013) as their conceptual basis for designing, implementing, operating, and evaluating internal control, so as to provide reasonable assurance that they are achieving their operational, reporting, and compliance objectives. To support governments’ efforts in this area, GFOA is developing best practices that explain how to implement each of the five components of that framework. This best practice focuses on the first of those five components, the control environment, which the COSO has defined as a set of standards, processes, and structures that provide the basis for carrying out internal control.

GFOA recommends that governments establish a strong internal control environment by implementing the practices identified in this best practice:

The governing body, upper-level management, and all levels of staff throughout the organization should demonstrate a commitment to the framework

  • Setting “the tone at the top” by prioritizing integrity and ethical values (governing body and management);
  • Officially adopting the COSO framework (governing body);
  • Adopting a policy to incorporate the implementation, maintenance, and updating of the framework into the government’s strategic goals (governing body), by establishing a structure of authority and responsibility;
  • Developing standards of conduct for employees and providing training on those standards;
  • Requiring management and employees to sign statements declaring that they will follow the standards of conduct (commitment statements) and annual signature of conflict of interest and commitment statements; and
  • Including compliance with standards of conduct as part of employee evaluations to ensure accountability.

The governing body should exercise oversight responsibility for internal control

  • Actively overseeing management’s implementation of the framework and of internal controls that function as part of the framework;
  • Actively monitoring the performance of internal controls;
  • Obtaining education about the nature and purpose of internal control sufficient to allow members of the governing body to meaningfully perform their oversight function, with the assistance of a financial expert;
  • Establish an audit committee (or equivalent) made up of members of the governing body[3];
  • Obtaining expert advice, independent of management, to help it perform its oversight function if no member of the audit committee possesses financial expertise;
  • Documenting that controls have been reviewed and updated if necessary;
  • Approving significant control-related policies; and
  • Determining how often policies and procedures need to be reviewed (annually), reaffirmed, and updated (at least every two years, or when processes change).

Management should establish organizational structure and lines of authority to ensure staff accountability

  • Creating a formal organizational chart for both the government as a whole and for each of its departments;
  • Requiring written procedures for important government processes (for example, payroll);[4]
  • Developing flowcharts of each significant process;
  • Maintaining electronic copies of process flowcharts to facilitate updating;
  • Identifying responsibilities for departmental and individual workflow approvals in their systems; and
  • Ensuring that systems incorporate documented compensating controls, including manual controls, if necessary.

Governments should commit to attracting and retaining competent employees.

  • Developing and maintaining up-to-date comprehensive job descriptions;
  • Ensuring that hiring panels include experts in the desired skill sets;
  • Prioritizing opportunities for employees to gain continuing professional education to stay current in their fields;
  • Prioritizing membership in professional organizations to encourage the development of networks and obtain professional education;
  • Supporting the development of succession planning;
  • Cross-training staff;
  • Thoroughly documenting the responsibilities of each position and appropriate processes, for succession planning;
  • Providing managerial training, in addition to technical training, for staff members who will be promoted;
  • Requiring that supervisors give staff members hands-on training on key responsibilities; and
  • Developing an ongoing mentoring program to enhance employees’ skills.[5]

Governments should enforce accountability for all staff regarding their internal control responsibilities.

  • Preparing comprehensive, consistent, and fact-based performance appraisals;
  • Providing performance appraisals on a timely basis;
  • Taking disciplinary action if conduct is not consistent with expected performance;
  • Including internal control compliance as part of employee performance reviews;
  • Establishing zero-tolerance policies (e.g., theft) and adhering to them; and
  • Ensuring that union agreements and other employment contracts clearly delineate responsibilities up front.


  1. An additional source of information about COSO directly applicable to governments is Standards for Internal Control in the Federal Government, commonly referred to as “The Green Book.”
  2. the governing body is appointed, rather than elected, the term governing body would apply to both members of the governing body and the elected officials to whom they report.
  3. Also see GFOA’s best practice Audit Committees.
  4. Also see GFOA’s best practice Policies and Procedures Documentation.
  5. Governments may want to consider mentoring relationships outside of the chain of command to facilitate independent feedback.

This best practice was previously titled Framework for Internal Control: The Control Environment.

  • Committees: Accounting, Auditing, and Financial Reporting (AAFRC)
  • Board approval date: Thursday, September 1, 2022