The 17 principles with attributes of the Green Book are as follows:

Control Environment
1. The oversight body and management should demonstrate a commitment to integrity and ethical values.

• Tone at the Top
• Standards of Conduct
• Adherence to Standards of Conduct

2. The oversight body should oversee the entity’s internal control system.

• Oversight Structure
• Oversight for the Internal Control System
• Input for Remediation of Deficiencies

3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives.

• Organizational Structure
• Assignment of Responsibility and Delegation of Authority
• Documentation of the Internal Control System

4. Management should demonstrate a commitment to recruit, develop, and retain competent individuals.

• Expectations of Competence
• Recruitment, Development, and Retention of Individuals
• Succession and Contingency Plans and Preparation

5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities.

• Enforcement of Accountability
• Consideration of Excessive Pressures

Risk Assessment
6. Management should define objectives clearly to enable the identification of risks and define risk tolerances.

• Definitions of Objectives
• Definitions of Risk Tolerances

7. Management should identify, analyze, and respond to risks related to achieving the defined objectives.

• Identification of Risks
• Analysis of Risks
• Response to Risks

8. Management should consider the potential for fraud when identifying, analyzing, and responding to risks.

• Types of Fraud
• Fraud Risk Factors
• Response to Fraud Risks

9. Management should identify, analyze, and respond to significant changes that could impact the internal control system.

• Identification of Change
• Analysis of and Response to Change

Control Activities
10. Management should design control activities to achieve objectives and respond to risks.

• Response to Objectives and Risks
• Design of Appropriate Types of Control Activities
• Design of Control Activities at Various Levels
• Segregation of Duties

11. Management should design the entity’s information system and related control activities to achieve objectives and respond to risks.

• Design of the Entity’s Information System
• Design of Appropriate Types of Control Activities
• Design of Information Technology Infrastructure
• Design of Security Management
• Design of Information Technology Acquisition, Development, and Maintenance

12. Management should implement control activities through policies.

• Documentation of Responsibilities through Policies
• Periodic Review of Control Activities

Information and Communication
13. Management should use quality information to achieve the entity’s objectives.

• Identification of Information Requirements
• Relevant Data from Reliable Sources
• Data Processed into Quality Information

14. Management should internally communicate the necessary quality information to achieve the entity’s objectives.

• Communication throughout the Entity
• Appropriate Methods of Communication

15. Management should externally communicate the necessary quality information to achieve the entity’s objectives.

• Communication with External Parties
• Appropriate Methods of Communication

Monitoring
16. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results.

• Establishment of a Baseline
• Internal Control System Monitoring
• Evaluation of Results

17. Management should remediate identified internal control deficiencies on a timely basis.

• Reporting of Issues
• Evaluation of Issues
• Corrective Actions