Internal Control Framework

Minnesota law requires the head of each executive branch state agency design, implement, and maintain an effective system of internal control within the agency. The law requires that the system:

Safeguard public funds and assets and minimize incidences of fraud, waste, and abuse;
Ensure that programs are administered in compliance with federal and state laws and rules; and
Require documentation of internal control procedures over financial management activities, provide for analysis of risks, and provide for periodic evaluation of control procedures to satisfy that these procedures are adequately designed, properly implemented, and functioning effectively.

The law requires the Commissioner of Minnesota Management and Budget (MMB) adopt internal control standards and policies. The Commissioner adopted the U.S. Government Accountability Office's established definitions of internal controls, standards, internal control components, principals, and attributes. The document that contains this information is known as the Green Book. The Green Book framework is widely accepted and is the adopted framework for the State of Minnesota. The Green Book serves as the basis for all internal control matters related to executive branch state agencies.

Internal Control is a process developed by an agency to provide reasonable assurance that the following categories of goals will be achieved:

Operations - effectiveness and efficiency of operations.
Reporting - reliability of reporting for internal and external use.
Compliance - compliance with applicable laws, regulations, contracts, and grant agreements.
Safeguarding - safeguarding public funds and assets to minimize incidences of fraud, waste, and abuse.

The Green Book approaches internal control through a hierarchical structure of five components and seventeen principles. The Green Book also contains additional information in the form of attributes.

The five components of internal control are control environment, risk assessment, control activities, information and communication, and monitoring. The five components of internal control apply to all goal categories and all levels of the organizational structure. The seventeen principles support the components of internal control. Attributes provide further explanation of the principles and documentation requirements. Each tab below represents one of the five internal control components.

Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring

Control Environment

Control Environment is the first of five components of the State of Minnesota's adopted internal control standards. The control environment sets the foundation of an effective internal control system and provides the discipline and structure of an agency. The oversight body, senior leadership, and management must demonstrate a positive attitude toward internal control and create a strong ethical "tone at the top." The Green Book outlines five principles and supporting attributes (pages 21-33) associated with an efficient and effective control environment.

The Control System Assessment Tool (CSAT) is an annual requirement and should prompt discussions within the agency to determine what, where, and how to improve the agency' current control environment.
- MMB Statewide Operating Procedure 0102-01.1, Control System Assessment
- Control System Assessment Tool (Excel)
Risk Assessment

Risk Assessment is the second of five components that make up the State of Minnesota's adopted internal control standards. Risk assessment is vital to proactively identify the risks an agency faces as it seeks to achieve its goals. A strong agency risk assessment program is driven by agency goals and an oversight body, senior leadership, and management committed to identify, analyze, and respond to internal and external risks. The Green Book covers four principles and the supporting attributes (pages 34-43) of the risk assessment component.

The Risk Assessment Toolbox includes the policies and procedures along with centralized implementation resources for executive branch agencies to meet risk assessment requirements.
Control Activities

Control Activities is the third of five components of the State of Minnesota's adopted internal control standards. Control activities are actions management establishes through policies and procedures to achieve goals and respond to risks in the internal control system, which includes the agency information system. The Green Book describes three principles and attributes (pages 44-57) to support control activities.
Information & Communication

Information and Communication is the fourth of five components of the State of Minnesota's adopted internal control standards. The use of quality information supports the internal control system. Effective information and communication are necessary for an agency to achieve its goals. The agency oversight body, senior leadership, and management need access to relevant and reliable communication related to internal and external events. Three principles and supporting attributes are defined in the Green Book (pages 58-63) for the information and communication component.
Monitoring

Monitoring is the fifth and final component of the State of Minnesota's adopted internal control standards. Monitoring ties all internal control components together and enables management to detect changes and deficiencies in the other components and take any necessary corrective action. Internal control is a dynamic process that must adapt continually to the risks and changes an agency faces. Monitoring the internal control system maintains agency alignment with changing goals, environment, laws, resources, and risks. Internal control monitoring assesses the quality of performance over time and promotes the prompt resolution of audit findings and other reviews. The Green Book designates two principles and many attributes (pages 64-69) to support monitoring.