Service Organizations

OV4.01 Management may engage external parties to perform certain operational processes for the entity, such as accounting and payroll processing, security services, or health care claims processing. For the purpose of the Green Book, these external parties are referred to as service organizations. Management, however, retains responsibility for the performance of processes assigned to service organizations.

Therefore, management needs to understand the controls each service organization has designed, has implemented, and operates for the assigned operational process and how the service organization’s internal control system impacts the entity’s internal control system.

OV4.02 If controls performed by the service organization are necessary for the entity to achieve its objectives and address risks related to the assigned operational process, the entity’s internal controls may include complementary user entity controls identified by the service organization or its auditors that are necessary to achieve the service organization’s control objectives.

OV4.03 Management may consider the following when determining the extent of oversight for the operational processes assigned to the service organization:

• The nature of services outsourced
• The service organization’s standards of conduct
• The quality and frequency of the service organization’s enforcement of adherence to standards of conduct by its personnel
• The magnitude and level of complexity of the entity’s operations and organizational structure
• The extent to which the entity’s internal controls are sufficient so that the entity achieves its objectives and addresses risks related to the assigned operational process

Large versus Small Entities

OV4.04 The 17 principles apply to both large and small entities. However, smaller entities may have different implementation approaches than larger entities. Smaller entities typically have unique advantages, which can contribute to an effective internal control system. These may include a higher level of involvement by management in operational processes and direct interaction with personnel. Smaller entities may find informal staff meetings effective for communicating quality information, whereas larger entities may need more formal mechanisms—such as written reports, intranet portals, or periodic formal meetings—to communicate with the organization.

OV4.05 A smaller entity, however, faces greater challenges in segregating duties because of its concentration of responsibilities and authorities in the organizational structure. Management, however, can respond to this increased risk through the design of the internal control system, such as by adding additional levels of review for key operational processes, reviewing randomly selected transactions and their supporting documentation, taking periodic asset counts, or checking supervisor reconciliations.

Benefits and Costs of Internal Control

OV4.06 Internal control provides many benefits to an entity. It provides management with added confidence regarding the achievement of objectives, provides feedback on how effectively an entity is operating, and helps reduce risks affecting the achievement of the entity’s objectives. Management considers a variety of cost factors in relation to expected benefits when designing and implementing internal controls. The complexity of cost-benefit determination is compounded by the interrelationship of controls with operational processes. Where controls are integrated with operational processes, it is difficult to isolate either their costs or benefits.

OV4.07 Management may decide how an entity evaluates the costs versus benefits of various approaches to implementing an effective internal control system. However, cost alone is not an acceptable reason to avoid implementing internal controls. Management is responsible for meeting internal control objectives. The costs versus benefits considerations support management’s ability to effectively design, implement, and operate an internal control system that balances the allocation of resources in relation to the areas of greatest risk, complexity, or other factors relevant to achieving the entity’s objectives.

Dcoumentation Requirements

OV4.08 Documentation is a necessary part of an effective internal control system. The level and nature of documentation vary based on the size of the entity and the complexity of the operational processes the entity performs. Management uses judgment in determining the extent of documentation that is needed. Documentation is required for the effective design, implementation, and operating effectiveness of an entity’s internal control system. The Green Book includes minimum documentation requirements as follows:

• If management determines that a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively. (paragraph OV2.06)
• Management develops and maintains documentation of its internal control system. (paragraph 3.09)
• Management documents in policies the internal control responsibilities of the organization. (paragraph 12.02)
• Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues. (paragraph 16.09)
• Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis. (paragraph 17.05)
• Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis. (paragraph 17.06)

OV4.09 These requirements represent the minimum level of documentation in an entity’s internal control system. Management exercises judgment in determining what additional documentation may be necessary for an effective internal control system. If management identifies deficiencies in achieving these documentation requirements, the effect of the identified deficiencies is considered as part of management’s summary determination as to whether the related principle is designed, implemented, and operating effectively.

Use by Other Entities

OV4.10 The Green Book may be applied as a framework for an internal control system for state, local, and quasi-governmental entities, as well as not-for-profit organizations. If management elects to adopt the Green Book as criteria, management follows all relevant requirements presented in these standards.