Which of the following is not part of the GAO internal control standards?

The GAO internal control standards are built around five components: control environment, risk assessment, control activities, information and communication, and monitoring. Understanding this helps map each item to the framework. Monitoring by assessing the quality of performance over time fits squarely with the monitoring component, which focuses on ongoing evaluations of performance and internal processes. Information communicated aligns with the information and communication component, which covers the flow of information necessary to carry out internal control and achieve objectives. Risk assessment of internal and external threats corresponds to the risk assessment component, which involves identifying and analyzing risks to achieving objectives. Data encryption of stored information is a specific security measure, not one of the five GAO internal control components or principles. While encryption is a valuable security control, the framework describes broader components and standards rather than individual technical controls. Therefore, this item is not part of the GAO internal control standards.