Internal Control Phase
310 – Overview of the Internal Control Phase
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 310-2
relate to compliance with applicable laws, regulations, contracts, and grant
agreements. Entity management is responsible for establishing and maintaining
internal control over financial reporting to provide reasonable assurance that the
entity’s objectives will be met. In a financial statement audit, the auditor evaluates
those internal controls designed to provide reasonable assurance that the
following objectives are met.
• Reliability of financial reporting: Transactions are properly recorded,
processed, and summarized to permit the preparation of the financial
statements in accordance with U.S. generally accepted accounting principles
(U.S. GAAP), and assets are safeguarded against loss from unauthorized
acquisition, use, or disposition.
• Compliance with significant provisions of applicable laws, regulations,
contracts, and grant agreements: Transactions are executed in
accordance with significant provisions of applicable laws, including those
governing the use of budget authority, regulations, contracts, and grant
agreements, noncompliance with which could have a material effect on the
financial statements.
.04 The auditor should determine whether such internal control provides reasonable
assurance that misstatements, losses, or noncompliance, material in relation to
the financial statements, would be prevented, or detected and corrected, during
the period under audit. If the auditor intends to opine on internal control, the
auditor should form a separate conclusion on internal control over financial
reporting as of the end of the period. Additionally, the auditor may test certain
operations controls, as discussed in the planning phase (FAM 275).
.05 Internal control over safeguarding assets is a process, implemented by
management and other personnel, designed to provide reasonable assurance
regarding the prevention, or prompt detection and correction, of unauthorized
acquisition, use, or disposition of entity assets that could have a material effect
on the financial statements (AU-C 940.29d). Safeguarding controls consist of
(1) controls that prevent, or detect and correct, unauthorized access (direct or
indirect) to assets and (2) segregation of duties.
The auditor should understand the design of certain safeguarding controls as
part of financial reporting controls. These controls relate to protecting assets from
loss arising from handling the related assets and resulting in misstatements in
processing transactions. FAM 395 C includes a list of typical control activities.
The auditor need not evaluate safeguarding controls related to the loss of assets
arising from management’s business decisions. Such a loss may occur from
incurring expenditures for equipment or material that might prove to be
unnecessary, which is part of operations controls.
.06 Just as safeguarding controls are a subset of operations, reporting, and
compliance controls, budget controls are a subset of financial reporting and
compliance controls. Budget controls that provide reasonable assurance that
budgetary transactions, such as obligations and outlays, are properly recorded,
processed, and summarized to permit the preparation of the financial statements,
primarily the statement of budgetary resources, in accordance with U.S. GAAP,
are financial reporting controls. Budget controls are generally also compliance
controls in that they provide reasonable assurance that transactions are
executed in accordance with laws governing the use of budget authority. Some