From the U.S. Government Accountability Office, www.gao.gov
Transcript for: An Introduction to Internal Control: The 2025 Green Book
Description: 
  In May 2025, GAO published its latest revision to the Green Book – Standards for Internal Control in the Federal Government. Internal control is the system of rules, processes, and specific procedures that an organization puts in place to improve operational efficiency, ensure accurate reporting, and comply with legal and regulatory requirements. 
  In this video, of we discuss the basics of internal control, what the Green Book is and how to use it, noting key changes in the 2025 Revision. 

Related GAO Work: GAO-25-107721. Standards for Internal Control in the Federal Government
Released: May 2025
[ GAO's Lanie Carlson, Financial Management & Assurance, speaking ]
  In May 2025, GAO published its latest revision to the Green Book – Standards for Internal Control in the Federal Government. If you’re new to the federal government, a new manager, or just interested in government efficiency and accuracy, let’s spend the next few minutes exploring what internal control is and how these standards can help agencies successfully manage their programs and expenditures.
  What is internal control and how does it work? 
  Internal control is the system of rules, processes, and specific procedures that an organization puts in place to improve operational efficiency, ensure accurate reporting, and comply with legal and regulatory requirements. These are the tools that help agencies protect their assets, prevent fraud, and promote accountability in government. Internal control is not meant to be a checklist or a compliance exercise separate from an agency's regular business processes.
  Instead, it should be a dynamic and integrative part of those processes that helps them work the way they're intended to. Ultimately, internal control is a process that management uses to achieve their objectives. Objectives are grouped into categories related to Operations, Reporting, which includes both financial and non-financial reports, and Compliance. 
  This cube represents the internal control system. It shows how the key components of internal control are implemented at all levels of the organizational structure to achieve these categories of objectives. Internal control is also not exclusive to financial management. Internal control requires participation from managers and personnel at all levels and from all functions, including those in both financial and program roles. 
  What is the Green Book and how is it used? 
  The Green Book sets internal control standards for federal executive branch entities. It can also be used as a framework for other federal entities outside the executive branch and by nonfederal entities too, such as state and local governments and nonprofits. The standards in the Green Book are organized by five components of internal control - Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring. Principles are the requirements of each component. 
  There are 17 principles contained within the five components of internal control. Within each principle, there's application guidance called attributes, which help explain the principle. Management, by which we mean the people directly responsible for all activities of an agency or program, considers these attributes to determine whether the related principle is designed, implemented and operating effectively. The Green Book also contains documentation requirements for the internal control system. 
  What are the components of an effective internal control system? 
  1) Control Environment. The foundation of an internal control system is an environment that provides the discipline and structure to help the entity achieve its objectives. This includes demonstrating a commitment to integrity and ethical values in both policy and behavior, delegating responsibility and authority to the appropriate employees who are competent in their roles, and overseeing and evaluating the performance of internal control responsibilities. 
  2) Risk Assessment. In effective risk assessment, management defines objectives that align with the organization's mission, strategic plan, and performance goals. Management identifies risks that could adversely affect the achievement of the defined objectives, and develops appropriate risk responses by analyzing the likelihood of a risk occurring and the magnitude of its impact. Management may choose to respond by accepting, avoiding, reducing, or sharing the risk. 
  3) Control Activities. The actions management establishes through policies and procedures to mitigate assess risks to an acceptable level are called control activities. Appropriate types of control activities depend on the nature of the risk they are designed to address.
  4) Information and Communication. Management uses relevant quality information to support the internal control system. Management communicates relevant quality information with appropriate internal and external parties about matters impacting the internal control system. 
  5) Monitoring. Management monitors and evaluates the internal control system in order to remain aligned with changing objectives, risks, and operating environments and to promptly resolve any deficiencies in performance. 
  Why is the Green Book being updated? 
  Let's take a closer look at some of the most recent updates to the Green Book. Recent events such as pandemics and cyber-attacks have highlighted certain challenges that management faces when addressing risks related to fraud, improper payments, information security, and the implementation of new or substantially changed programs, including emergency assistance programs. 
  Green Book 2025 Revision - Key Changes. 
  Here are some key takeaways from this revision to help managers responsible for internal control address some of these challenges. A new requirement to document the results of risk assessments. A new requirement that within its risk assessments, management should specifically consider risks related to improper payments, fraud and information security. These risks are specified because they may be widespread and because they can often be inadequately addressed in standard risk assessments. Additionally, management should proactively document a process to help them be able to respond to significant changes when they occur.
  The update also includes a clarification that management prioritize preventive controls, which generally offer the most cost-efficient use of resources and are effective at mitigating fraud and improper payment risks. The new revision also includes new appendices, with additional resources and examples that management can use to address risks related to fraud, improper payments, and information security. 
  For more information on the Green Book and our recent changes to the Internal Control standards, be sure to check out our webpage at www.gao.gov/greenbook.

 [ End ]
For more info, check out our report GAO-25-107721 at: GAO.gov