Public Internal Control Systems in the European Unionec.europa.eu/budget/pic/lib/docs/2017/CD_08_ControlOptimisationAn… · Public Internal Control Systems in the European Union

Public Internal Control Systems in the European Union

Control Optimisation and Simplification

Discussion Paper No. 11

Ref. 2017-4

The information and views set out in this paper are those of the informally-organised PIC

Working Group and do not necessarily reflect the official opinion of the European Union.

Neither the European Union institutions and bodies nor any person acting on their behalf

may be held responsible for the use which may be made of the information contained

therein.

Control optimisation and simplification

For many years we have all worked with EU regulations and probably asked ourselves

the question – why are the requirements different? Why are the checks similar, but not

the same? And probably other questions.

This paper takes two of the main regulations covering EU payments and analyses them

against the COSO framework and at the same time each other, to look for opportunities

to optimize, and potentially simplify controls.

This paper aims at highlighting points for further consideration and consultation and to

generate discussion both among Member States and with the European Commission, on

simpler and equally or more effective control arrangements.

TABLE OF CONTENTS

1. INTRODUCTION ....................................................................................................... 1

1.1. Overview of the regulations .............................................................................. 2

1.1.1. Agricultural Funds ............................................................................... 2

1.1.2. Structural Funds .................................................................................. 2

2. ANALYSIS OF FUND REQUIREMENTS ............................................................... 2

2.1. Control Environment ......................................................................................... 2

2.1.1. Control Environment – summary analysis .......................................... 3

2.1.2. Control Environment – areas for consideration / consistency ............. 3

2.2. Risk Assessment ................................................................................................ 3

2.2.1. Risk Assessment – summary analysis ................................................. 4

2.2.2. Risk Assessment – areas for consideration / consistency .................... 4

2.3. Control Activities .............................................................................................. 4

2.3.1. Control Activities – summary highlights ............................................ 4

2.3.2. Control Activities – areas for consideration / consistency .................. 5

2.4. Information and Communication ...................................................................... 5

2.4.1. Information and Communication – summary highlights .................... 5

2.4.2. Information and Communication – areas for consideration /

consistency .......................................................................................... 5

2.5. Monitoring ......................................................................................................... 5

2.5.1. Monitoring – summary highlights ....................................................... 6

2.5.2. Monitoring – areas for consideration / consistency ............................. 6

3. USING COSO ............................................................................................................. 6

3.1. Limitations of Internal Control.......................................................................... 6

3.2. Major Deficiency ............................................................................................... 6

3.3. Transition........................................................................................................... 7

4. TOPICS FOR DISCUSSION ...................................................................................... 8

LIST OF ACRONYMS

AA Audit Authority

CA Certifying Authority

CF Cohesion Fund

COSO Committee of Sponsoring Organizations of the Treadway Commission

EAFRD European Agricultural Fund for Rural Development

EAGF European Agricultural Guarantee Fund

EC European Commission

ECA European Court of Auditors

EMFP European Maritime and Fisheries Fund

ERDF European Regional Development Fund

ESF European Social Fund

EU European Union

IA Internal Audit

MA Managing Authority

PA Paying Agency

1

1. INTRODUCTION

As challenges for public sector organisations increase and finances become more restricted, so

do the constraints under which they operate and the risks that they accept. It is essential that

there is an effective and efficient system of internal control which optimises the available

controls, is proportionate to the risks and strikes the right balance between national and EU

control requirements.

This Discussion Paper raises some of the main points for debate and offers further food for

thought in the key areas of control, risk and regulation, and simplification.

We have taken the control frameworks for two of the biggest areas of EU funding

(Agriculture Funds and Structural Funds) and compared them, with a view to identify any

alignment, any unclear areas and any areas where there is a difference in the implementation

approach (including the relationships between the various review bodies). From this analysis

we have then explored opportunities for consistency, good practice, simplification and

efficiencies.

Based on the current control arrangements, we compared these fund controls with a known

control framework (COSO) to build on previous PIC Network efforts on Assurance

Frameworks and Assurance Maps. Each section of COSO and its supporting principles is

revisited below and each of the regulations are considered alongside what we view as good

practice, and what we view as weaker control arrangements. These criteria are based on an

evolved approach, as used in the United Kingdom.

The high-level analysis simply shows where good indicators are listed as requirements

(Green); where they are not mentioned, we shows these as Unclear (Amber); and where there

is partial coverage (Grey). At the end of each section on COSO we compare and contrast the

regulations, and offer some suggestions for simplification, consistency and alignment to good

practice.

The basis for the regulatory requirements for each fund is

Commission Delegated Regulation (EU) No 907/2014 of 11 March 2014 supplementing

Regulation (EU) No 1306/2013 of the European Parliament and of the Council with regard

to paying agencies and other bodies, financial management, clearance of accounts,

securities and use of euro.

Regulation (EU) No 1306/2013 of the European Parliament and of the Council of 17

December 2013 on the financing, management and monitoring of the common agricultural

policy and repealing Council Regulations (EEC) No 352/78, (EC) No 165/94, (EC) No

2799/98, (EC) No 814/2000, (EC) No 1290/2005 and (EC) No 485/2008

Regulation (EU) No 1303/2013 of the European Parliament and of the Council of 17

December 2013 laying down common provisions on the European Regional Development

Fund, the European Social Fund, the Cohesion Fund, the European Agricultural Fund for

Rural Development and the European Maritime and Fisheries Fund and laying down

general provisions on the European Regional Development Fund, the European Social

2

Fund, the Cohesion Fund and the European Maritime and Fisheries Fund and repealing

Council Regulation (EC) No 1083/20061.

1.1. Overview of the regulations

1.1.1. Agricultural Funds

The Common Agricultural Policy (CAP) is financed by two funds, which form part of the

EU's general budget: the European Agricultural Guarantee Fund (EAGF) which primarily

finances direct payments to farmers and measures to regulate agricultural markets, and the

European Agricultural Fund for Rural Development (EAFRD) which co-finances rural

development programmes of the Member States.

The EAGF and EAFRD are implemented in shared management between the Member States

and the Union. This means, among others, that the European Commission does not make

payments directly to the beneficiaries of aid; this task is delegated to the Member States.

The controls analysed are those that must be followed by all Accredited Paying Agencies who

administer the funds and make payments to agricultural beneficiaries.

1.1.2. Structural Funds

The Structural Funds expenditure is financed by four funds, which form part of the EU’s

general budget: the European Regional Development Fund (ERDF), the European Social

Fund (ESF), the Cohesion Fund (CF) and the European Maritime and Fisheries Fund (EMFP).

All those funds primarily co-finance operational programmes, prepared by Members States, in

the field of a single policy area or multi-funded operational programmes and agreed between

the European Commission and the Member State.

2. ANALYSIS OF FUND REQUIREMENTS

At annex 1, we include a detailed evaluation of the COSO principles against the requirements

of each fund. We set out below, the highlights of the key findings against each of the five

main COSO components.

2.1. Control Environment

In this section we explore the clarity of the ethical values and integrity of the organisation,

that the oversight roles in the organisation are clearly defined and where appropriate are

independent, providing effective oversight of the development and performance of internal

controls, including appropriate reporting lines into a robust governance and accountability

structure with appropriate skills to support the achievement of the organisational objectives.

COSO states that the "Control Environment is the set of standards, processes, and structures

that provide the basis for carrying out internal control across the organization. The board of

1 In this context, relevant provisions are included in Parts Three and Four of Regulation (EU) No 1303/2013 of

the European Parliament and of the Council of 17 December, applicable only to ERDF, ESF, CF and EMFF

and not to the EAFRD, for which Regulation (EU) No 1306/2013 applies.

3

directors and senior management establish the tone at the top regarding the importance of

internal control and expected standards of conduct.”

2.1.1. Control Environment – summary analysis

There are a number of inconsistencies between the two funding regulations, but it is perhaps

in the lack of an internal audit service requirement in Structural Funds that stands out. There

are many areas that are unclear, and relate to people factors; staff turnover, performance

management and how to deal with exceptions. As to codes of conduct, both regulations

require these to be in place, but there is no requirement on them to be applied.

There are many opportunities to improve the control environment in both regulations, and

introduce consistency and commonality which would ease Member State compliance.

Given the lack of a requirement for an internal audit service (Structural Funds), and the

limited coverage of the markers of a good control environment, this could no doubt lead to

overcompensation in other areas of the COSO framework.

2.1.2. Control Environment – areas for consideration / consistency

Consistency between the regulations on the identification and management of potential

conflicts could usefully be explored, as this could cause confusion and challenges for Member

States where co-financed measures between the funds are in place.

There is an opportunity to be clearer in defining the key roles. The roles of the Managing

Authority (MA); Certifying Authority (CA) and the Audit Authority (AA) are clear, but the

key roles beyond this lack clarity. For agricultural funds the role of the Paying Agency (PA)

has a clearer definition and the need for an independent Internal Audit service is required –

this role is missing from the Structural Funds management arrangement.

Other areas worthy of further consideration include:

Greater use of qualitative data – high turnover of people could indicate issues within the

control environment;

Better definition of required people competences, to enhance selection and recruitment

procedures; and,

A greater emphasis of the behavioural aspects of management to set the ‘tone at the top’, in

both regulations.

In this respect, it is worth noting that the paying agencies managing agricultural funds must

comply with a "human-resource standard" as part of the accreditation criteria, including

minimum skills, division of duties, written job descriptions, compulsory training and conflict

of interest avoidance.

2.2. Risk Assessment

"Risk Assessment involves a dynamic and iterative process for identifying and analysing

risks to achieving the entity’s objectives, forming a basis for determining how risks should be

managed. Management considers possible changes in the external environment and within its

own business model that may impede its ability to achieve its objectives.”

4

2.2.1. Risk Assessment – summary analysis

Both regulations adequately capture the need for risk(s) to the fund, including fraud related

risks, to be managed.

The risk assessment direction, provided in both regulations, tends to focus on operational

level risks, with very little in terms of strategic risks. Change related risks in terms of

regulatory and economic change are covered, but many other change related risks are not.

The focus on operational risks without a consideration of the strategic is likely to focus on

short term strategies to managing the risks, which in turn may lead to a cyclical approach to

control and assurance, where values tested are selected on a random basis.

2.2.2. Risk Assessment – areas for consideration / consistency

Consistency between the regulations on the identification and management of risks could

usefully be explored, with structural funds defining a better model for monitoring strategic

level risks, by virtue of the strong links to programme outcomes. That said, both regulations

do not say much on wider organisation risk management of the Managing Authority or Paying

Agency. Greater consideration could also be given to enhancing the risk assessment for the

regulations to go beyond operational risks and to be more strategic in terms of the focus on

outcomes.

The role of risk in both regulations is primarily looking at the risks to funding, mainly for the

selection of inspections (on-the-spot-checks) around factors specific to the programme or

fund(s); beyond this, risk is not considered. There are many other areas of risk that will

impact on delivering the expected outcomes; change and technology are some. That said, a

greater view of risks (internal and external) and a prioritisation of these risks may allow for

some managed risks to be taken where the cost of control exceeds the value at risk – this

would require a mind-set change and a move away from the compliance regimes that are in

place for both regulations.

2.3. Control Activities

"Control Activities are the actions established by the policies and procedures to help ensure

that management directives to mitigate risks to the achievement of objectives are carried out.

Control activities are performed at all levels of the entity, at various stages within business

processes, and over the technology environment. They may be preventive or detective in

nature and may encompass a range of manual and automated activities such as

authorizations and approvals, verifications, reconciliations, and business performance

reviews. Segregation of duties is typically built into the selection and development of control

activities. Where segregation of duties is not practical, management selects and develops

alternative control activities.”

2.3.1. Control Activities – summary highlights

Given the highlights in the control environment and risk assessment sections it is perhaps not

surprising that the control activities sections has most of the markers covered and that there is

a lot of consistency between the two regulations. The areas around gifts and hospitality and

training in cash handling, this is not an issue as no EU funds are paid in cash.

5

Both regulations require management checks and inspections. The selection protocols for

inspections differ between the funds, with Agricultural funds based on a percentage selected

with structural funds inspections selected on the basis of risk. In both cases value is a key

selection criterion.

2.3.2. Control Activities – areas for consideration / consistency

Consistency between the regulations on the compliance focus of both regulations means that

the majority of the control activity elements are covered. That said a better alignment in the

agricultural regulations to the approach on managing performance indicators would be

beneficial.

The agricultural regulations could be clearer on the controls around the area of gifts and

hospitality (potential risks of bribing of officials). A requirement to retain a register of these

aligns well with the conflicts of interest requirements and should be introduced. Again the

requirement is for these to be in place, but no mention is made of how they are being used or

applied.

2.4. Information and Communication

Information and Communication. “Information is necessary for the entity to carry out

internal control responsibilities in support of achievement of its objectives. Communication

occurs both internally and externally and provides the organization with the information

needed to carry out day-to-day internal control activities. Communication enables personnel

to understand internal control responsibilities and their importance to the achievement of

objectives.”

2.4.1. Information and Communication – summary highlights

There are many areas where the regulations are unclear on the liaison and relationship

between internal and external parties, including the audit functions. The open sharing of

internal audit reports is not highlighted in either regulation and is a missed opportunity. The

lack of open sharing potentially contributes to a lack of transparency and trust between

internal and external audit.

2.4.2. Information and Communication – areas for consideration / consistency

Both regulations cover the same markers consistently. Again the emphasis is on the activities

around processing and not the wider organisation. Management information data around

people attendance, discipline issues and other behavioural impact areas is not covered.

2.5. Monitoring

Monitoring Activities. “Ongoing evaluations, separate evaluations, or some combination of

the two are used to ascertain whether each of the five components of internal control,

including controls to effect the principles within each component, are present and functioning.

Findings are evaluated and deficiencies are communicated in a timely manner, with serious

matters reported to senior management and to the board

6

2.5.1. Monitoring – summary highlights

The gaps in both regulations relate to monitoring the control environment and outside

information (complaints etc.) to also form a view of the organisation. Control effectiveness

and the completion of corrective actions are covered in both elements, but again risk is only

partially covered as this relates mainly to risk to the fund.

2.5.2. Monitoring – areas for consideration / consistency

The regulations both concentrate on monitoring what is easier to measure, but fail to

adequately cover the people elements. Control environment, change management, people

engagement are gaps in the monitoring arrangement.

When it comes to what is covered in the regulations we begin to see the earlier elements of

the control framework highlighted again in this section – risk, internal and external audit

recommendations and reports, and with follow-up the emphasis is on the fund related actions,

but not the wider organisational related points.

The lack of a clearly defined Internal Audit function within structural funds is an issue and as

any kind of assurance liaison between Internal and External audit is not possible. With

Agricultural funds both functions internal and external are defined, but the connection of

each, their plans and testing is only suggested in supporting guidance notes. There is a great

opportunity here to create stronger ties between the audit services, allowing for greater

reliance to be placed on work / testing completed, reducing the possibility of duplicating the

testing on the same transactions.

3. USING COSO

3.1. Limitations of Internal Control

The COSO framework acknowledges that there are limitations related to any system of

internal control. For example, certain events or conditions are beyond an organization’s

control, and no system of internal control will always do what it was designed to do. Controls

are performed by people and are subject to human error, uncertainties inherent in judgment,

management override, and their circumvention due to collusion.

An effective system of internal control recognizes their inherent limitations and addresses

ways to minimize these risks by the design, implementation, and conduct of the system of

internal control. However, an effective system will not eliminate these risks. An effective

system of internal control (and an effective system of internal control over financial reporting)

provides reasonable assurance, not absolute assurance, that the entity will achieve its defined

operating, reporting, and compliance objectives.

3.2. Major Deficiency

The 2013 COSO framework requires for an effective system of internal control that each of

the five components and the 17 relevant principles be present and functioning and that the five

components operate together in an integrated manner. Present means that the components and

relevant principles exist in the design and implementation of the system of internal control,

and functioning means that the components and relevant principles continue to exist in the

7

conduct of the system of internal control. A major deficiency is defined as an internal control

deficiency or combination of deficiencies that severely reduces the likelihood that the entity

can achieve its objectives. A major deficiency exists when management determines that a

component and one or more relevant principles are not present and functioning or that

components are not operating together. We can confirm all areas are covered, but to optimise

the current arrangement(s) there are areas for consideration of improvement and consistency

between these regulations, and a greater emphasis on control environment, and risk

assessment arrangements.

3.3. Transition

The explicit nature of the principles in the COSO model will require the entity to address

whether internal controls related to the relevant 17 principles are present and functioning and

to reconsider the nature and effectiveness of previously identified internal controls over

financial reporting and to identify new controls that are more effective or efficient.

Conclusion

Overall, the analysis has highlighted that these two EU regulations would benefit from

alignment in key areas – so simplification through alignment is a key message. This will be

particularly beneficial at all levels, from beneficiary up, where dual funding considerations

(e.g. EAFRD – EMFF) require slightly different controls / checks. This should also have a

positive impact on reducing error rates.

The analysis within this paper highlights that greater regulatory emphasis on establishing a

robust control environment (the 'people' dimension), setting the right ‘tone at the top’ will

allow for a more risk based approach, leading to a reduction in excessive control activities and

a more efficient, effective use of the key controls. It should also be noted that these elements

may well exist in national legislation, but even if this is the case, mention of these

requirements within the regulations, as a minimum, would enhance the internal control

arrangements underpinning the management of EU funds.

Additionally, greater alignment of the various levels of audit, internal and external, where

assurance is taken from each group, and sampling is complementary, rather than repeated will

also allow for greater efficiencies.

8

4. TOPICS FOR DISCUSSION

(1) What national level requirements exist in your country in relation to the control

environment issues highlighted through the analysis? Could and/or should these

be specifically included in the EU funds regulations.

(2) Which areas of the analysis are of most use to you, and why? How do you feel

that you could use this analysis in your country?

(3) Based on your experiences what do you see as the key areas for control

simplification / optimisation?

ANNEX 1

9

Control Environment review

Assessment Criteria Indicator of a stronger control requirement Indicator of weaker control requirement S Funds Ag Funds

1) The organisation demonstrates a commitment to integrity and ethical values.

Codes of conduct. Unit management understand the Organisation's policies governing

relationships with sponsors, suppliers, creditors, regulators, the

community, and the public at large.

Policies are poorly understood. Covered Partial

Conflicts of interests. Unit management understand the Organisation's policies regarding

potential conflicts of interest.

Policies are poorly understood. Covered Covered

Integrity. Unit management sets a good example and regularly

communicates high expectations regarding integrity and ethical

values.

Management does not set a good example and/or does not

communicate high expectations regarding integrity and

ethical values.

Covered Covered

2) The oversight body demonstrates independence from management and exercises oversight of the development and performance of internal control.

Job descriptions. Responsibilities are clearly defined in writing and communicated

as appropriate.

Responsibilities are poorly defined or poorly communicated. Partial Covered

Knowledge and Skills. Unit management (directors and supervisory staff) understand the

knowledge and skills required to accomplish tasks.

Management does not adequately consider knowledge and

skill requirements. Partial Covered

Employee competence. Unit management is aware of competency levels, and is involved

in training and increased supervision when competency is low.

Management is not adequately aware of competency levels,

or does not actively address problems. Partial Partial

Internal Audit service Independent IA service organisationally separate from operations. No IA service or service conflicted by operational

responsibilities. Unclear Covered

3) Management establishes, with oversight by the oversight body, structures, reporting lines, and appropriate authorities, responsibilities and empowerments in the pursuit of

objectives.

Complexity of the

organizational structure.

Complexity of the structure is commensurate with the

organization. Lines of reporting are clear and documentation is

up-to-date.

Lines of responsibility are unclear or unnecessarily

complicated for the size and activities of the entity. Covered Covered

10



Organization charts. Documentation exists and is up to date. Documentation does not exist or is out-of-date. The

documented structure does not correspond with actual

responsibilities.

Partial Covered

Size of the management

group.

Size is commensurate with the complexity of the unit and its

growth.

Size is not appropriate (e.g., too many levels, too dispersed, or

too "thin"). Partial Partial

Stability of the

management group.

Low turnover. High turnover. Unclear Unclear

Communication with

Directors and

Organisation.

Unit management insists on full and open disclosure of financial

or business issues with appropriate directors and Organisation

personnel.

Management is secretive and reluctant to conduct business or

deal with issues in an open manner. Partial Unclear

Laws and regulations. There is active concern and effort to ensure compliance with the

letter and intent of appropriate laws and regulations.

Management is willing to risk the consequences of non-

compliance. Covered Covered

Getting the job done. Management is concerned with and exerts effort to get the job

done right the first time.

Management is willing to get the job done without adequate

regard to quality. Unclear Unclear

4) The organisation demonstrates a commitment to attract, develop, and retain competent individuals in alignment with its objectives.

Selection of personnel. A careful recruitment process is in place. The Human Resources

Department is involved in identifying potential employees based

on job requirements.

The recruitment process is informal, and sometimes proceeds

without adequate involvement by higher-level supervisors. Partial Partial

Training. On-the-job and other training programs have defined objectives.

They are effective and important.

Training programs are inconsistent, ineffective, or are given

low priority. Covered Partial

Supervision policies. Personnel are adequately supervised. They have a regular resource

for resolving problems.

Regular supervision does not exist or is ineffective.

Employees are frustrated and feel they ‘have nowhere to go’

with issues.

Covered Covered

Inappropriate behaviour. Inappropriate behaviour is consistently reprimanded in a timely

and direct manner, regardless of the individual's position or status.

Reprimands are not timely, direct, or are not consistently

applied (climate of favouritism). Unclear Unclear

11



Evaluation of personnel. An organized evaluation process exists. The evaluation process is ad hoc and inconsistent.

Performance issues are not formally addressed. Unclear Unclear

Methods to compensate

personnel.

Compensation decisions are based on a formal process with

meaningful involvement of more than one level of management.

The effect of performance evaluations on compensation decisions

is defined and communicated.

Compensation decisions are ad hoc, inconsistent, or

inadequately reviewed by management. Unclear Unclear

Turnover. Particularly

turnover in financially

responsible positions.

Low turnover. Management understands root causes of turnover. High turnover. Management does not understand root causes. Unclear Unclear

Knowledge and

experience.

Key personnel are knowledgeable and experienced. Management

does not delegate authority to inexperienced individuals.

Key personnel are inexperienced. Management delegates

authority without regard to knowledge and experience. Covered Covered

Resources. Management provides the resources needed for employees to carry

out their duties.

Management does not provide necessary resources. Covered Covered

Staffing of critical

functions.

Critical functions are adequately staffed, with reasonable

workloads.

There is inadequate staffing and frequent periods of overwork

and "organizational stress." Partial Partial

5) The organisation holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Approach to financial

accountability.

Management’s approach shows concern and appreciation for

accurate and timely reporting. Budgeting and other financial

estimates are generally conservative.

Financial accountability is given low priority. Covered Partial

Delegated signature

authority.

Appropriate limits have been placed on each delegation of

signature authority. Management reviews and updates signature

records as turnover occurs.

Signature authority is delegated without adequate

consideration. Delegated authority is not in line with

employee knowledge, training, or competence.

Covered Covered

Exceptions to policy. Exceptions to policy are infrequent. When they occur they must be

approved and well documented.

Exceptions to policy are the norm and are rarely documented. Covered Covered

12



Approach to decision

making.

Decision-making processes are deliberate and consistent.

Decisions are made after careful consideration of relevant facts.

Policies and procedures are in place to ensure appropriate levels of

management are involved.

Decision making is nearly always informal. Management

makes arbitrary decisions with inadequate discussion and

analysis of the facts.

Covered Partial

Delegation of authority

and assignment of

responsibility for

operating and financial

functions.

Delegation of authority and assignment of responsibility is clearly

defined. Individuals are held accountable for results.

Decisions are dominated by one or a few individuals. Roles

and responsibilities of middle management are unclear. Covered Covered

Authority limits. Authority limits are clearly defined in writing and communicated

as appropriate.

Policies and procedures covering authority limits are informal

or poorly communicated. Partial Covered

Emphasis on meeting

budget and other

financial and operating

goals.

Realistic budgets are established and results are actively

monitored. Corrective action is taken as necessary. The unit learns

from, and does not repeat, mistakes.

Management either shows little concern (climate of laxness),

or makes unreasonable demands (climate of fear). Covered Partial

Risk Assessment review


6) The organisation specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

Unit-wide objectives. A formal unit-wide mission or value statement is established and

communicated throughout the unit.

A unit-wide mission or value statement does not exist. Partial Partial

Critical success factors. Factors that are critical to achievement of unit-wide objectives are

identified. Resources are appropriately allocated between critical

success factors and objectives of lesser importance.

Success factors are not identified or prioritized. Covered Partial

Activity-level

objectives.

Realistic objectives are established for all key activities including

operations, financial reporting and compliance considerations.

Activity-level objectives do not exist. Covered Partial

13



Measurement of

objectives.

Unit-wide and activity level objectives include measurement

criteria and are periodically evaluated.

Performance regarding objectives is not measured. Targets

are not set. Covered Partial

Long and short-range

planning.

Long and short-range plans are developed and are written. Changes

in direction are made only after sufficient study is performed.

No organized planning process exists. There are frequent

shifts in direction or emphasis. Covered Unclear

Budgeting system. Detailed budgets are developed by area of responsibility following

prescribed procedures and realistic expectations. Plans and budgets

support achievement of unit-wide action steps.

Budgets do not exist or are "backed into" depending on

desired outcome. Covered Covered

Strategic planning for

information systems.

Planning for future needs is done well in advance of expected needs

and considers various scenarios.

The information system lags significantly behind the needs

of the business. Partial Partial

7) The organisation identifies risks to the achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed.

Identification and

consideration of external

risk factors.

A process exists to identify and consider the implications of

external risk factors (economic changes, changing sponsor, student

and community needs or expectations, new or changed legislation

or regulations, technological developments, etc.) on unit-wide

objectives and plans.

Potential or actual external risk factors are not effectively

identified or evaluated. Unclear Unclear

Identification and

consideration of internal

risk factors.

A process exists to identify and consider the implications of

internal risk factors (new personnel, new information systems,

changes in management responsibilities, new or changed programs,

etc.) on unit-wide objectives and plans.

Potential or actual internal risk factors are not effectively

identified or evaluated. Unclear Unclear

Prioritization of risks. The likelihood of occurrence and potential impact (monetary and

otherwise) have been evaluated. Risks have been categorized as

tolerable or requiring action.

Risks have not been prioritized. Unclear Unclear

Process for monitoring

risks.

A risk management program is in place to monitor and help

mitigate exposures.

Exposure is dealt with on a case by case basis. Regular

efforts or programs to manage risks do not exist. Partial Partial

Approach to studying

risks.

In-depth, cost / benefit studies are performed before committing

significant unit resources.

Risks are accepted with little or no study. Unclear Unclear

14



8) The organisation considers the potential for fraud in assessing risks to the achievement of objectives.

Fraud related risks are

considered

A risk management program is in place to monitor and help

mitigate fraud and error exposures.

Exposure is dealt with on a case by case basis. Regular

efforts or programs to manage fraud risks do not exist. Covered Covered

Consultation with

external advisors.

External advisors are consulted as needed to supplement internal

expertise.

Internal expertise regarding risk and control issues is

inadequate. Assistance is never sought from outside sources. Covered Partial

9) The organisation identifies and assesses changes that could significantly impact the system of internal control.

Commitment to change. Management promotes continuous improvement and solicits input

and feedback on the implications of significant change.

Management promotes the status quo, even when changes

are needed to meet important business needs. Unclear Unclear

Support of change. Management is willing to commit resources to achieve positive

change.

Management offers no resources to facilitate change. Unclear Unclear

Routine change. Mechanisms exist to identify, prioritize, and react to routine events

(i.e., turnover) that affect achievement of unit-wide objectives or

action steps.

Procedures are not present or are ineffective. Unclear Unclear

Economic change. Mechanisms exist to identify and react to economic changes. Procedures are not present or are ineffective. Partial Partial

Regulatory change. Mechanisms exist to identify and react to regulatory changes

(maintain membership in associations that monitor laws and

regulations, participate in Organisation forums, etc.).

Procedures are not present or are ineffective. Covered Covered

Technological change. Mechanisms exist to identify and react to technological changes

and changes in the functional requirements of the unit.

Procedures are not present or are ineffective. Unclear Unclear

15

Control Activities review


10) The organisation selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

Senior management

reviews.

Senior management monitors the unit's performance against

objectives and budget.

Senior management does not monitor unit performance. Covered Covered

Top level (unit-wide)

objective performance

reviews by unit

management.

Reviews are made of actual performance compared to objectives

and previous periods for all major initiatives. Management analyzes

and follows up as needed.

Analyses are not performed or management does not follow up

on significant deviations. Covered Covered

Top level (unit-wide)

financial performance

reviews by unit

management.

Reviews are made of actual performance versus budgets, forecasts,

and performance in prior periods for all major initiatives.

Management analyzes and follows up as needed.

Analyses are not performed or management does not follow up

on significant deviations. Covered Covered

Direct functional or

activity management by

unit management.

Performance reviews are made of specific functions or activities,

focusing on compliance, financial or operational issues.

No performance reviews occur. Covered Covered

Performance indicators. Unexpected operating results or unusual trends are investigated. Operating results and trends are not monitored. Covered Partial

Accounting statements

and key reconciliations.

Accounting statements and key reconciliations are completed

timely. Management performs a diligent review and signifies

approval by signature and date.

Reconciliations are not performed timely or regularly.

Management does not carefully review or formally approve

statements or reconciliations.

Covered Covered

Sponsored project

management.

Sponsored project accounts are reviewed and reconciled. PIs certify

the expenditures timely. Unit management monitors the portfolio of

sponsored projects for compliance and fiscal responsibility.

Sponsored project accounts are not monitored; reconciliations

and certifications are not timely. Covered Covered

Use of restricted funds

(gifts).

Restrictions on use are well documented, and are understood by

employees who administer the funds. Usage is monitored by

management, accounts are reconciled.

Restrictions are not clearly documented. Restricted fund

accounts are not monitored; usage may not match restrictions. Covered Unclear

16



Information processing. Controls exist to monitor the accuracy and completeness of

information as well as authorization of transactions.

No information processing controls are in place. Covered Covered

Physical controls. Equipment, supplies, inventory, cash and other assets are physically

secured and periodically counted and compared to the amounts

shown on control records.

Equipment, supplies, inventory, cash and other assets are not

protected. Control records do not exist or are not up to date. Covered Covered

Separation of duties. Financial duties are divided among different people

(responsibilities for authorizing transactions, recording them and

handling the asset are separated).

No significant separation of financial duties among different

employees. Covered Covered

Record retention. Unit employees understand which records they are responsible to

maintain and the required retention period. Records are

appropriately filed.

Unit employees do not understand which records they are

responsible for maintaining. The filing system is inadequate. Covered Covered

Disaster response plan. A disaster response and recovery plan has been developed and is

understood by key personnel.

No disaster response or recovery plan exists. Covered Covered

11) The organisation selects and develops general control activities over technology to support the achievement of objectives.

Local information

systems and LANs.

System operations are documented; software is appropriately

acquired and maintained; access to the system, programs and data

is controlled; the system is maintained in a secure environment;

applications are appropriately developed and maintained.

Inadequate controls over local information systems or LANs. Covered Covered

Back Up. Key data and programs on LANs or desktop computers are

appropriately backed up and maintained. Off-site storage is

adequate considering possible risks of loss.

No formal back up procedures exist. Management has not

informed staff of back up requirements. Covered Covered

Application controls. The unit controls its computer applications by diligent and timely

response to edit lists, rejected transactions and other control and

balancing reports. Controls ensure a high level of data integrity

including completeness, accuracy, and validity of all information in

the system.

Application controls are not used. Covered Covered

17



12) The organisation deploys control activities through policies that establish what is expected and procedures that put policies into action.

Access to Organisation

policies and procedures.

Unit staff have available up to date Organisational policy and

procedures and know how to use them.

Organisation policy and procedures are not available or are

rarely used. Covered Covered

Training and guidance

for asset custodians.

Adequate guidance and training are provided to personnel

responsible for cash or similar assets.

No training or guidance is provided. Partial Partial

Unit policies and

procedures.

The unit has documented its own policies and procedures. They are

well understood by unit staff.

Unit policies and procedures do not exist. Covered Covered

Information and Communication review


13) The organisation obtains or generates and uses relevant, quality information to support the functioning of internal control.

Relevant external

information.

Unit members receive relevant information regarding legislation,

regulatory developments, economic changes or other external

factors that affect the unit.

Relevant information is not available. Covered Covered

Management reporting

system.

An executive information system exists. Information and reports

are provided timely. Report detail is appropriate for the level of

management. Data is summarized to facilitate decision making.

A formal reporting system does not exist. Reports are not

timely or are not at appropriate levels of detail. Unclear Unclear

Policy enforcement and

discipline.

Employees who violate an important policy are disciplined.

Management's communications and actions are consistent with

policies.

Violations, while not condoned officially, are often overlooked.

Management's actions are inconsistent with official policies. Unclear Unclear

Management of

information security.

Information is evaluated and classified based on level of integrity,

confidentiality and availability. Individuals with access to

information are trained to understand their responsibilities related

to the information.

Information used by the unit has not been evaluated and

classified. Employees are not trained with respect to

information security.

Covered Covered

18

Information and Communication review


14) The organisation internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

Formal communications. Formal methods are used to communicate unit policies and

procedures (e.g., manuals, training programs, written codes of

conduct, and acceptable business practices).

To the extent that they exist, policies are buried in unused

manuals and documents. Covered Covered

15) The organisation communicates with external parties regarding matters affecting the functioning of internal control.

External

communications.

Standards and expectations are communicated to key outside

groups or individuals (e.g., vendors, consultants, sponsors,

subcontractors, sub-recipients).

No external communication of standards and expectations. Covered Covered

Communication with

auditors.

Information is openly shared with outside auditors. Information is kept secret from outside auditors. Partial Partial

Monitoring Activities review


16) The organisation selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

Effectiveness of key

control activities.

Management routinely spot-checks transactions, records and

reconciliations to ensure expectations are met.

Management never performs spot-checks. Covered Covered

Management supervision

of accounting function.

Accounting policies are defined and adopted after appropriate

consideration. Policies are effectively communicated (in writing).

Policies are ad hoc or poorly communicated. Covered Covered

Management supervision

of new systems

development.

Policies are defined for developing new systems or changes to

existing systems (cost/benefit analysis, team composition, user

specifications, documentation, acceptance testing, and user

approval).

Policies and procedures are ad hoc, poorly communicated, or

ineffective. Partial Partial

Management follow-up

of violations of policies.

Timely corrective action is taken. Follow-up is sporadic. Partial Partial

19



External or internal audit

findings.

Findings are considered and immediately acted upon at appropriate

levels.

Consideration of findings is delegated to lower levels or is given

low priority. Partial Partial

Changes in conditions

(e.g., economy,

regulatory, technology,

or competitive).

Changes are anticipated and routinely integrated into ongoing long-

and short-range planning.

Responses are reactive rather than proactive. Partial Partial

Monitoring of control

environment.

Management periodically assesses employee attitudes, reviews the

effectiveness of the organization structure, and evaluates the

appropriateness of policies and procedures.

Assessment processes do not exist. Unclear Unclear

Evaluation of risk

assessment process.

Management periodically evaluates the effectiveness of its risk

assessment process.

Assessment processes do not exist. Partial Partial

Assessment of design

and effectiveness of

internal controls.

Internal controls are subject to a formal and continuous internal

assessment process.

Assessment processes do not exist. Covered Covered

Evaluation of

information and

communication systems.

Management periodically evaluates the accuracy, timeliness and

relevance of its information and communication systems.

Management questions information on management reports that

appears unusual or inconsistent.

Assessment process does not exist. Partial Partial

Budget analysis. Budgets are compared to actual results and deviations are followed

up on a timely basis. Adequate consideration is given to

commitments.

An analysis of actual versus budgeted results is not performed,

or management does not follow up on deviations. Covered Covered

17) The organisation evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior

management and the oversight body, as appropriate.

Industry and

professional

associations.

Data is used to compare the unit’s performance with peers or

industry standards.

Comparative data is not regularly monitored. Partial Partial

20



Regulatory authorities. Reports from regulatory bodies are considered for their internal

control implications.

Response is limited to what is necessary to "get by" the

regulators. Covered Covered

Sponsors, staff,

suppliers, creditors, and

other third parties.

Root causes of inquiries or complaints are investigated and

considered for internal control implications.

Inquiries or complaints are dealt with case-by-case, with little or

no follow-up. Unclear Unclear

External auditors. Information provided by external auditors about control-related

matters are considered and acted on at high levels.

Findings are referred to lower levels or are explained away. Covered Covered

Documents

Public Internal Control Systems in the European Unionec.europa.eu/budget/pic/lib/docs/2017/CD_08_ControlOptimisationAn… · Public Internal Control Systems in the European Union