Internal Controls vs. Audit Requirements: What's the Difference?
Internal controls and audit requirements are often mistakenly viewed as the same thing. However, these two closely related concepts serve distinct purposes. In fact, school business officials must attend to one before moving on to the other.
Internal controls are the policies, procedures, and practices your district designs and implements to prevent errors, detect fraud, and ensure reliable financial reporting. They are proactive strategies. You own them. Dual-signature requirements, monthly bank reconciliations, and the separation of payment and purchase responsibilities are a few examples.
Audit requirements are the standards your independent auditors use to assess whether your controls are designed and working effectively. If auditors discover inadequate or absent controls, they may intensify their testing and issue a management letter highlighting the shortcomings. You, not the auditors, are responsible for correcting that finding. The external audit is not a replacement for your own control design; rather, it is a feedback loop.
Every new GASB standard expands what you must report, immediately creating new control obligations your framework must address.
The Standards That Govern You
Several overlapping internal controls frameworks apply to school districts. It's important to understand which frameworks are relevant and how they work together.
Different sets of standards govern your district's internal control responsibilities and your auditors' behavior. Table 1 describes the responsibilities regarding the internal controls framework.
Table 1. The Internal Controls Framework
|
|
|
|
|
|
Defines the five components and 17 principles from which all other frameworks derive.
|
Your district (SBO/Management)
|
|
|
Adapts COSO principles for government entities, the directly applicable standard for school districts, now requiring documented risk assessments and explicit fraud and cybersecurity consideration.
|
Your district (SBO/Management)
|
|
|
Defines governmental GAAP — what your district must report and how. Every new GASB standard creates new reporting obligations that your controls must be designed to support.
|
Your district (SBO/Management)
|
|
|
Defines the SBO's professional obligations: establish controls, ensure GASB compliance, manage the audit relationship, and remediate findings
|
|
|
|
Benchmarks the internal audit function — independence, planning, and reporting — and applies whether or not your district has a dedicated internal auditor
|
Internal Auditor / SBO where no auditor exists
|
Your auditors operate under Generally Accepted Accounting Principles Standards when performing government audits and under American Institute of Certified Public Accountants Standards for financial statement audit methodology. They evaluate your financial statements against the Governmental Accounting Standards Board® (GASB) as the applicable financial reporting framework — the criteria for audit testing, not an auditor conduct standard. Understanding all three helps you engage as a peer, anticipate what auditors will test, and respond to findings with authority and confidence.
Table 2 describes responsibilities regarding the audit standards framework.
Table 2: The Audit Standards Framework
|
|
|
|
|
|
How the auditor conducts the government audit engagement — independence, fieldwork, and reporting.
|
|
|
|
Financial statement audit methodology.
|
|
|
|
The financial reporting framework your auditors measure your statements against — the criteria for audit testing, not an auditor conduct standard.
|
|
COSO, the GAO Green Book, and GASB
GASB appears in both Table 1 and Table 2 because its implementation is both a financial reporting event and an internal controls event. When a new GASB standard arrives, your first question should be, "What new control does this standard create?" — not just "How do we book this entry?" If your self-assessment lacks a GASB implementation checklist, it has a blind spot.
It's helpful to remember that COSO and the GAO Green Book define your internal control framework—the five-component structure that protects the integrity of every process and transaction. GASB defines generally accepted accounting principles (GAAP), which are the financial accounting and reporting standards every U.S. school district must follow.
These two systems are not competing; they are interdependent. Every new GASB standard expands what you must report, thereby creating new control obligations your framework must address. The 2025 Green Book revision makes this connection explicit by requiring that risk assessments now be documented in writing and address fraud, improper payments, and information security — areas that every active GASB standard touches.
GASB Standards: What's in Effect, What's Coming
Every new GASB standard expands what you must report, immediately creating new control obligations your framework must address. Table 3 outlines examples of several recent GASB standards and how they affected school district finances. Table 4 previews upcoming standards and their implications for SBOs.
Table 3. Recent GASB Standards and What They Mean
|
|
|
|
|
|
|
|
Reclassified student activity and agency funds into fiduciary fund reporting.
|
Fund classification procedures, trustee determination documentation, separate financial statement presentation.
|
|
|
|
Right-of-use assets and lease liabilities on the balance sheet.
|
Lease inventory tracking, new reconciliation workflows, approval protocols.
|
|
|
|
Cloud software contracts on the balance sheet.
|
Classification controls, contract review procedures, IT asset tracking.
|
|
|
|
Updated accrual and disclosure of leave liabilities.
|
Revised payroll procedures, employee contract reviews, updated leave tracking.
|
|
|
FY beginning after June 15, 2024
|
Requires footnote disclosure of concentration risks (revenue dependence, single employer reliance) and constraint risks (tax caps, debt limits, mandated spending) when three triggering criteria are met.
|
Annual documented assessment process to identify concentrations and constraints; assigned ownership, written evaluation against all three disclosure criteria, SBO review before financial statement issuance; audit-ready documentation .
|
|
|
FY beginning after June 15, 2025
|
Major overhaul of government financial reporting — MD&A, budgetary comparisons, proprietary fund statements.
|
New presentation and disclosure controls, revised MD&A procedures, updated budgetary reporting workflows.
|
|
|
FY beginning after June 15, 2025
|
New disclosure requirements for certain capital assets.
|
Updated capital asset tracking, new note disclosure procedures.
|
|
|
FY beginning after June 15, 2026
|
Standardizes identification and disclosure of post-balance-sheet-date events.
|
New procedures for subsequent event identification, documentation, and disclosure.
|
Table 4. Standards to Watch: 2026 and Beyond
|
|
|
|
|
|
Exposure Draft — public comment closes April 27, 2026.
|
Addresses leases, compensated absences, and Financial Reporting Model improvements — practical Q&A guidance.
|
|
|
Exposure Draft expected 2026; final standard likely 2027.
|
Will revisit the modified approach and recognition of roads, bridges, and infrastructure — significant for larger districts.
|
|
|
Exposure Draft expected 2027.
|
Potentially the most significant change to governmental accounting since GASB 34; may introduce a performance-obligation model for all government revenue and expense transactions.
|
|
|
GASB has tentatively removed "going concern" language; project continues.
|
Addresses how governments disclose conditions of severe financial stress.
|
Strong controls don't require a large staff or a dedicated audit department; they require intentional design and consistent follow-through. The order of operations is as follows:
-
Document your risk assessment — in writing.
-
Write procedures, not just policies.
-
Cross train staff; it's both a continuity measure and a control.
-
Build controls for the new GASB standards before the audit.
-
Provide an anonymous reporting mechanism.
-
Review technology access controls.
-
Own your audit findings completely.
The frameworks are available. The standards are established. Your job is to translate them into daily practice—process by process and fiscal year by fiscal year.
Applying the Five Components in Your District
The COSO's five-component model is the universal language of internal controls. Here is what each component demands in a school district context — and where the standard frameworks need to be modified for your environment.
1. Control Environment begins with the board's governance policies and your visible commitment to ethical standards. In a school district, this means written codes of conduct, clearly defined lines of authority, and consistent enforcement. In smaller districts, the SBO's personal behavior is the control environment — there is no organizational layer to buffer the effect of a lapse in judgment or a compromise of independence.
2. Risk Assessment requires annual identification of financial and operational risk areas. The 2025 Green Book now mandates documentation of this assessment, explicitly addressing fraud, improper payments, and information security. School-specific high-risk areas include student activity funds, food service cash receipts, purchasing cards, payroll, and federal grant compliance. These areas are not addressed in corporate frameworks but represent the greatest exposure in school district operations.
3. Control Activities are the specific procedures that mitigate identified risks: segregation of duties, dual-signature requirements, authorization protocols, and physical safeguards for cash and equipment. In small offices with limited staff, the SBO or superintendent may need to perform compensating controls — opening mail independently, reviewing bank statements directly, or approving all wire transfers — to substitute for formal segregation of duties. The control must remain in place even when staffing does not support the textbook design.
4. Information and Communication encompasses board financial reporting, distribution of audit findings, staff training on procedures, and open channels for reporting irregularities. This component includes whistleblower protections and anonymous reporting mechanisms. If staff cannot safely report a concern, the control environment has a material gap regardless of what the policy manual says.
5. Monitoring is where the internal audit lives. If your district has no dedicated internal auditor, the SBO should conduct or commission management self-assessments and ensure corrective action plans from external audits are tracked to completion. The IIA's Three Lines Model — with the board governing, management controlling, and internal audits providing independent assurance — provides the structural framework. As Weaver's analysis of internal auditors in school districts notes, all three lines must be operational and coordinated to create an effective control structure.
Conducting a Control Self-Assessment
Most districts learn about control deficiencies from their external auditors. Proactive SBOs reverse that dynamic by conducting structured self-assessments before each audit cycle.
Begin by mapping your current processes to the five components. Where are approvals missing? Who has incompatible duties? Which processes rely on a single employee with no backup or review? Prioritize by risk: cash receipts, payroll, procurement, student activity accounts, and federal programs carry the highest exposure and the greatest reputational consequences if controls fail.
Document everything. The 2025 Green Book requires documentation of risk assessment results — not just evidence that an assessment occurred. Develop written procedures, not just policies: a policy states what should happen; a procedure describes exactly how, by whom, and when. Cross train staff. Cross-training is simultaneously a continuity measure and an internal control—irregularities become visible when a different employee performs a task for the first time.
When your self-assessment identifies deficiencies, develop a corrective action plan with assigned owners, deadlines, and a follow-up mechanism. ASBO International's professional standards make this an SBO obligation. Audit remediation is not optional, not delegable, and not complete until controls are tested and functioning.
Student activity funds deserve special attention. These accounts — covering athletics, clubs, concessions, and fundraisers — represent some of the highest cash-volume, lowest-control environments in your district. GASB 84 changed how these funds must be classified and reported, and many districts are still catching up on the control side.
Three duties must always be segregated: signing checks, maintaining fund accounting records, and reconciling bank statements. Pre-numbered tickets, control sheets, documented depositing procedures, and monthly reconciliations to the general ledger are the baseline — not the best practice. Audit findings in student activity funds are among the most common and most recurring in school district management letters. Fix them proactively; don't let them become a pattern.
Strong internal controls are not the end goal — they are the infrastructure that makes every other goal achievable. When your control environment is sound, you can defend every expenditure, respond to every audit finding, and report to your board with confidence. The frameworks are established. The standards are freely available. The SBO's responsibility is to translate them into operational reality — district by district, process by process, and year by year.
For an extensive discussion of how to implement internal controls, read part 3 of this series:
COSO — Direct Document Links
|
|
|
|
|
Maps the COSO Internal Control framework to the IIA's Three Lines Model—clarifying how the board, management, and internal audit each own distinct control responsibilities. Practical for districts defining roles between the SBO, superintendent, and external auditor.
|
|
|
COSO's detailed guidance on the Monitoring component — the fifth and most frequently underdeveloped COSO component in school districts. Covers ongoing monitoring activities, management self-assessments, and how to evaluate and report deficiencies. Directly applicable to districts without a dedicated internal auditor.
|
|
|
Current announcements, newly released guidance, and upcoming publications from COSO. Use this page to stay up to date on supplemental framework extensions without purchasing each document.
|
|
|
The foundational global internal control framework organizing all control obligations into five components and 17 principles. All other standards — including the GAO Green Book — derive from this document. The 2013 edition remains current as of 2026. Free government alternative: The
|
|
|
Maps all five COSO components to GenAI-specific risks — data integrity, authorization, and output review. As school districts adopt AI tools for administration, communications, grading support, and financial analysis, the internal control obligations are no longer theoretical. Districts using any generative AI tool should assess existing controls against this guidance.
|
|
|
Extends the COSO framework to automated workflows in finance, HR, and procurement. Districts that utilize automated payroll processing, purchasing approvals, or accounts payable systems find this relevant, as they must still design, monitor, and test automated controls in these areas.
|
|
|
COSO's Enterprise Risk Management framework is broader in scope than the Internal Control framework, covering strategy, performance, and organizational resilience. Useful for districts building a comprehensive risk management program beyond transactional internal controls, including federal grant compliance risk and long-term financial sustainability planning.
|
|
|
|
This article was curated with the assistance of two AI tools, each serving a distinct and limited function. Perplexity AI (Perplexity AI, Inc., April 2026), a large language model, was used to compile research, locate and verify applicable standards and source documents, and assist with content drafting. QuillBot™ (QuillBot Inc.®), an AI-powered writing tool, was used for sentence-level fluency, readability, and editorial refinement—not for content generation. All factual claims were independently confirmed by the author against primary sources, including the GAO Green Book (2025), GASB pronouncements, COSO publications, and AICPA standards. Professional analysis, practice recommendations, and all editorial decisions — including content selection, structural organization, emphasis, and framing — are the author's own. AI assistance is disclosed in accordance with School Business Now Author Guidelines.