Development of Internal Control: Methodology and Responsibility

1. Development of Internal Control: Methodology and Responsibility Janet Thomas HM Treasury/ National Audit Office United Kingdom Workshop on “Audit/Evaluation of PIFC Systems”Ankara 8-9 July 2008

2. Content of presentation • What is internal control? • COSO, Intosai, EU view, UK view • UK “methodology” • Governance, role of audit committee, management of risk, role of internal and external audit, statement on internal control • How it all fits together • Assessment against COSO/ INTOSAI • Key concepts • Accountability • Delegation • Proportionality

3. What is internal control? COSO (1992) Internal control is broadly defined as a process effected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance regarding achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations

4. What is internal control? INTOSAI (2004) Internal control is an integral process that is effected by an entity’s management and personnel and is designed to address risks and to provide reasonable assurance that in pursuit of the entity’s mission, the following general objectives are being achieved: Executing orderly, economical, efficient and effective operations Fulfilling accountability operations Complying with applicable laws and regulations Safeguarding resources against loss, misuse and damage

5. What is internal control? COSO/ INTOSAI components Control environment Risk assessment Control activities Information and communication Monitoring

6. What is internal control? European Commission Reforms from 2000 onwards – “wise men’s report” Treaty obligations “legality and regularity” Financial regulation definition Art 28a Acquis requirements for accession Chapter 32 Financial control Criteria for opening and provisionally closing Ch 32 based on development of PIFC strategy and legislation

7. The three pillars of PIFC • Managerial accountability • Financial management and control systems developed and monitored by a central harmonisation unit • Supported by functionally independent internal audit

8. What is internal control? United Kingdom government view Formerly implicit rather than explicit, but long tradition of internal audit Acted on Turnbull (1999) and Sharman (2001) recommendations Focuses on provision of annual “statement on internal control” Introduction of resource accounting and budgeting, 2001 Treasury guidance from “CHU” on corporate governance, audit committee handbook, government internal audit standards and guidance, “managing public money”, management of risk guidance

9. The UK “methodology” Governance is the key • Defined accountability – role of Minister and Accounting Officer, both responsible and answerable to Parliament • Corporate Governance Code: Responsibilities of departmental Board • To ensure that effective arrangements exist to provide assurance on risk management, governance and internal control • Role of Audit Committee • Internal Audit function

10. The UK “methodology” Role of audit committee: 5 principles • Supports the Board and the Accounting Officer by reviewing the comprehensiveness, reliability and integrity of assurances that risk management, governance and internal control are functioning effectively • Independent and objective with a good understanding of the priorities of the organisation • Provides an appropriate mix of skills • Terms of reference to define scope of work • Effective communication with Board, Head of Internal Audit, external audit and other stakeholders

11. The UK “methodology” Role of internal audit: To provide an independent and objective opinion to the Accounting Officer on risk management, control and governance*, by measuring and evaluating their effectiveness in achieving the organisation’s agreed objectives. * The policies, procedures and operations established to ensure the achievement of objectives, the appropriate assessment of risk, the reliability of internal and external reporting and accountability processes, compliance with applicable laws and regulations and compliance with behavioural and ethical standards.

12. The UK “methodology” Management of risk • All government organisations must have basic risk management processes in place • Guidance provided in “The Orange Book” • Risk should managed to a level which is tolerable • Effectiveness of risk management audited internally and externally • Accounting Officer must comment on risk management in his annual “Statement on Internal Control”

13. The UK “methodology” The Statement on Internal Control • Every Accounting Officer must sign an annual Statement on Internal Control • Prescribed format given in Financial Reporting Manual • Scope of responsibility • Purpose of the system of internal control • Capacity to handle risk • Risk and control framework • Review of effectiveness (significant internal control issues must be mentioned)

14. The UK “methodology” The Statement on Internal Control: examples of significant internal control issues • Failure to achieve a Public Service Agreement target • Organisation had to seek additional funding from Treasury • Adverse opinion from external auditor – material impact on the accounts • Head of Internal Audit and/or Audit Committee agree that an issue is significant • Public interest and/or damage to the organisation’s reputation

15. The UK “methodology” Role of external audit (National Audit Office) • To review the Statement on Internal Control for each government organisation • Compliance with Treasury requirements • Consistency with external auditor’s work on financial statements • To provide an assurance to Parliament that the resource accounts have been properly prepared, are free from material misstatement, and that transactions have appropriate Parliamentary authority • To provide value-for-money reports assessing the economy, efficiency and effectiveness with which public money has been used

16. How it all fits together Accounting Officer Board Objectives Business plan PSAs and Performance Measures Risk register Budget Risk monitoring Internal audit Accounts Annual report Audit committee Statement on internal control NAO Parliament/ PAC

17. How do we match up against COSO/ INTOSAI? Control environment: Accountability to Parliament, Board and Audit Committee Risk assessment: Risk management systems widespread, audited internally and externally, reported on in annual Statement on Internal Control Control activities: Delegated to the organisation, described in the Statement on Internal Control Information and Communication: Annual reports, regular reporting to Board and Audit Committee Monitoring: Internal audit reports, regular monitoring by Board and Audit Committee, results of monitoring summarised in Annual Statement on Internal Control

18. How do we match up against the Commission guidance? • Managerial accountability • Clearly defined and expressed in statement on internal control • Financial management and control systems developed and monitored by a central harmonisation unit • Guidance produced centrally eg on governance; risk management • But development of systems delegated to Government Departments • Supported by functionally independent internal audit • Internal audit units in each Government Department

19. Key concepts • Statement on Internal Control – informs on all aspects of internal control, published on internet • Accountability – of Minister and Accounting Officer • Delegation – control and management of spending delegated to departments, monitored by Treasury • Proportionality – no sledgehammer to crack a nut • Guidance – not always prescription

20. All UK guidance is available at www.hm-treasury.gov.uk and on departmental websites Thank you! Good luck!