Response to the 2024 Exposure Draft of the Green Book

Mr. Dalkin,

Thank you for keeping the Green Book up-to-date and for allowing the public to comment on the 2024 exposure draft of the Green Book. I frequently refer to the Green Book when teaching how to audit internal controls in my Parker CPE courses.

The majority of my courses are designed for government performance auditors. I also utilize the Green Book when preparing the study guide for the Public Sector Audit Institute’s Certified Responsible Government Auditor (CRGA) exam.

I know that you are specifically requesting feedback on the 15 discussion questions in Enclosure II of the exposure draft, but I plan to respond broadly.

New Requirements for Management

The inclusion of risks related to improper payments and information security, alongside the existing focus on fraud, ensures a more comprehensive approach to risk management. By explicitly requiring management to document risk assessments and responses regularly, including considerations of significant changes, the internal control system can remain robust and adaptive.

Prioritization of Preventative Controls

I fully support the proposed revisions, which expand the application guidance for designing preventive and detective control activities. This approach ensures that management implements a balanced mix of controls to mitigate risks effectively.

Prioritizing preventive controls is particularly important because they offer a cost-efficient use of resources and are generally more effective at mitigating risks such as fraud and improper payments. The emphasis on preventive measures helps avoid the pitfalls of the "pay and chase" model, where issues are addressed only after payments are made, leading to inefficiencies and higher costs.
Appendix III: Additional Resources

Appendix III is intended to provide references that management can leverage in designing, implementing, and operating effective internal control systems to address risk areas related to fraud, improper payments, and information security. However, its current form is not as useful as it could be. The appendix primarily links to other GAO work, which, while valuable, may not offer the practical, actionable insights that management needs.

To enhance its utility, this appendix could include specific examples of controls that can be designed and implemented for various activities. For instance, instead of merely referencing general GAO reports, the appendix could detail specific preventive and detective controls for scenarios such as processing payroll, managing procurement, or handling financial reporting. Essentially it would be enhancing Appendix II: Examples of Preventative and Detective Controls with real world examples. This would provide management with concrete, applicable strategies, making the appendix a more practical tool for enhancing internal controls.

By including real-world examples and detailed guidance, Appendix III could transform from a list of references into a hands-on resource that directly supports management in strengthening their control systems.