Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Public Internal Control Systems in the European Union
Control Optimisation and Simplification
Discussion Paper No. 11
Ref. 2017-4
The information and views set out in this paper are those of the informally-organised PIC
Working Group and do not necessarily reflect the official opinion of the European Union.
Neither the European Union institutions and bodies nor any person acting on their behalf
may be held responsible for the use which may be made of the information contained
therein.
Control optimisation and simplification
For many years we have all worked with EU regulations and probably asked ourselves
the question – why are the requirements different? Why are the checks similar, but not
the same? And probably other questions.
This paper takes two of the main regulations covering EU payments and analyses them
against the COSO framework and at the same time each other, to look for opportunities
to optimize, and potentially simplify controls.
This paper aims at highlighting points for further consideration and consultation and to
generate discussion both among Member States and with the European Commission, on
simpler and equally or more effective control arrangements.
TABLE OF CONTENTS
1. INTRODUCTION ....................................................................................................... 1
1.1. Overview of the regulations .............................................................................. 2
1.1.1. Agricultural Funds ............................................................................... 2
1.1.2. Structural Funds .................................................................................. 2
2. ANALYSIS OF FUND REQUIREMENTS ............................................................... 2
2.1. Control Environment ......................................................................................... 2
2.1.1. Control Environment – summary analysis .......................................... 3
2.1.2. Control Environment – areas for consideration / consistency ............. 3
2.2. Risk Assessment ................................................................................................ 3
2.2.1. Risk Assessment – summary analysis ................................................. 4
2.2.2. Risk Assessment – areas for consideration / consistency .................... 4
2.3. Control Activities .............................................................................................. 4
2.3.1. Control Activities – summary highlights ............................................ 4
2.3.2. Control Activities – areas for consideration / consistency .................. 5
2.4. Information and Communication ...................................................................... 5
2.4.1. Information and Communication – summary highlights .................... 5
2.4.2. Information and Communication – areas for consideration /
consistency .......................................................................................... 5
2.5. Monitoring ......................................................................................................... 5
2.5.1. Monitoring – summary highlights ....................................................... 6
2.5.2. Monitoring – areas for consideration / consistency ............................. 6
3. USING COSO ............................................................................................................. 6
3.1. Limitations of Internal Control.......................................................................... 6
3.2. Major Deficiency ............................................................................................... 6
3.3. Transition........................................................................................................... 7
4. TOPICS FOR DISCUSSION ...................................................................................... 8
LIST OF ACRONYMS
AA Audit Authority
CA Certifying Authority
CF Cohesion Fund
COSO Committee of Sponsoring Organizations of the Treadway Commission
EAFRD European Agricultural Fund for Rural Development
EAGF European Agricultural Guarantee Fund
EC European Commission
ECA European Court of Auditors
EMFP European Maritime and Fisheries Fund
ERDF European Regional Development Fund
ESF European Social Fund
EU European Union
IA Internal Audit
MA Managing Authority
PA Paying Agency
1
1. INTRODUCTION
As challenges for public sector organisations increase and finances become more restricted, so
do the constraints under which they operate and the risks that they accept. It is essential that
there is an effective and efficient system of internal control which optimises the available
controls, is proportionate to the risks and strikes the right balance between national and EU
control requirements.
This Discussion Paper raises some of the main points for debate and offers further food for
thought in the key areas of control, risk and regulation, and simplification.
We have taken the control frameworks for two of the biggest areas of EU funding
(Agriculture Funds and Structural Funds) and compared them, with a view to identify any
alignment, any unclear areas and any areas where there is a difference in the implementation
approach (including the relationships between the various review bodies). From this analysis
we have then explored opportunities for consistency, good practice, simplification and
efficiencies.
Based on the current control arrangements, we compared these fund controls with a known
control framework (COSO) to build on previous PIC Network efforts on Assurance
Frameworks and Assurance Maps. Each section of COSO and its supporting principles is
revisited below and each of the regulations are considered alongside what we view as good
practice, and what we view as weaker control arrangements. These criteria are based on an
evolved approach, as used in the United Kingdom.
The high-level analysis simply shows where good indicators are listed as requirements
(Green); where they are not mentioned, we shows these as Unclear (Amber); and where there
is partial coverage (Grey). At the end of each section on COSO we compare and contrast the
regulations, and offer some suggestions for simplification, consistency and alignment to good
practice.
The basis for the regulatory requirements for each fund is
Commission Delegated Regulation (EU) No 907/2014 of 11 March 2014 supplementing
Regulation (EU) No 1306/2013 of the European Parliament and of the Council with regard
to paying agencies and other bodies, financial management, clearance of accounts,
securities and use of euro.
Regulation (EU) No 1306/2013 of the European Parliament and of the Council of 17
December 2013 on the financing, management and monitoring of the common agricultural
policy and repealing Council Regulations (EEC) No 352/78, (EC) No 165/94, (EC) No
2799/98, (EC) No 814/2000, (EC) No 1290/2005 and (EC) No 485/2008
Regulation (EU) No 1303/2013 of the European Parliament and of the Council of 17
December 2013 laying down common provisions on the European Regional Development
Fund, the European Social Fund, the Cohesion Fund, the European Agricultural Fund for
Rural Development and the European Maritime and Fisheries Fund and laying down
general provisions on the European Regional Development Fund, the European Social
2
Fund, the Cohesion Fund and the European Maritime and Fisheries Fund and repealing
Council Regulation (EC) No 1083/20061.
1.1. Overview of the regulations
1.1.1. Agricultural Funds
The Common Agricultural Policy (CAP) is financed by two funds, which form part of the
EU's general budget: the European Agricultural Guarantee Fund (EAGF) which primarily
finances direct payments to farmers and measures to regulate agricultural markets, and the
European Agricultural Fund for Rural Development (EAFRD) which co-finances rural
development programmes of the Member States.
The EAGF and EAFRD are implemented in shared management between the Member States
and the Union. This means, among others, that the European Commission does not make
payments directly to the beneficiaries of aid; this task is delegated to the Member States.
The controls analysed are those that must be followed by all Accredited Paying Agencies who
administer the funds and make payments to agricultural beneficiaries.
1.1.2. Structural Funds
The Structural Funds expenditure is financed by four funds, which form part of the EU’s
general budget: the European Regional Development Fund (ERDF), the European Social
Fund (ESF), the Cohesion Fund (CF) and the European Maritime and Fisheries Fund (EMFP).
All those funds primarily co-finance operational programmes, prepared by Members States, in
the field of a single policy area or multi-funded operational programmes and agreed between
the European Commission and the Member State.
2. ANALYSIS OF FUND REQUIREMENTS
At annex 1, we include a detailed evaluation of the COSO principles against the requirements
of each fund. We set out below, the highlights of the key findings against each of the five
main COSO components.
2.1. Control Environment
In this section we explore the clarity of the ethical values and integrity of the organisation,
that the oversight roles in the organisation are clearly defined and where appropriate are
independent, providing effective oversight of the development and performance of internal
controls, including appropriate reporting lines into a robust governance and accountability
structure with appropriate skills to support the achievement of the organisational objectives.
COSO states that the "Control Environment is the set of standards, processes, and structures
that provide the basis for carrying out internal control across the organization. The board of
1 In this context, relevant provisions are included in Parts Three and Four of Regulation (EU) No 1303/2013 of
the European Parliament and of the Council of 17 December, applicable only to ERDF, ESF, CF and EMFF
and not to the EAFRD, for which Regulation (EU) No 1306/2013 applies.
3
directors and senior management establish the tone at the top regarding the importance of
internal control and expected standards of conduct.”
2.1.1. Control Environment – summary analysis
There are a number of inconsistencies between the two funding regulations, but it is perhaps
in the lack of an internal audit service requirement in Structural Funds that stands out. There
are many areas that are unclear, and relate to people factors; staff turnover, performance
management and how to deal with exceptions. As to codes of conduct, both regulations
require these to be in place, but there is no requirement on them to be applied.
There are many opportunities to improve the control environment in both regulations, and
introduce consistency and commonality which would ease Member State compliance.
Given the lack of a requirement for an internal audit service (Structural Funds), and the
limited coverage of the markers of a good control environment, this could no doubt lead to
overcompensation in other areas of the COSO framework.
2.1.2. Control Environment – areas for consideration / consistency
Consistency between the regulations on the identification and management of potential
conflicts could usefully be explored, as this could cause confusion and challenges for Member
States where co-financed measures between the funds are in place.
There is an opportunity to be clearer in defining the key roles. The roles of the Managing
Authority (MA); Certifying Authority (CA) and the Audit Authority (AA) are clear, but the
key roles beyond this lack clarity. For agricultural funds the role of the Paying Agency (PA)
has a clearer definition and the need for an independent Internal Audit service is required –
this role is missing from the Structural Funds management arrangement.
Other areas worthy of further consideration include:
Greater use of qualitative data – high turnover of people could indicate issues within the
control environment;
Better definition of required people competences, to enhance selection and recruitment
procedures; and,
A greater emphasis of the behavioural aspects of management to set the ‘tone at the top’, in
both regulations.
In this respect, it is worth noting that the paying agencies managing agricultural funds must
comply with a "human-resource standard" as part of the accreditation criteria, including
minimum skills, division of duties, written job descriptions, compulsory training and conflict
of interest avoidance.
2.2. Risk Assessment
"Risk Assessment involves a dynamic and iterative process for identifying and analysing
risks to achieving the entity’s objectives, forming a basis for determining how risks should be
managed. Management considers possible changes in the external environment and within its
own business model that may impede its ability to achieve its objectives.”
4
2.2.1. Risk Assessment – summary analysis
Both regulations adequately capture the need for risk(s) to the fund, including fraud related
risks, to be managed.
The risk assessment direction, provided in both regulations, tends to focus on operational
level risks, with very little in terms of strategic risks. Change related risks in terms of
regulatory and economic change are covered, but many other change related risks are not.
The focus on operational risks without a consideration of the strategic is likely to focus on
short term strategies to managing the risks, which in turn may lead to a cyclical approach to
control and assurance, where values tested are selected on a random basis.
2.2.2. Risk Assessment – areas for consideration / consistency
Consistency between the regulations on the identification and management of risks could
usefully be explored, with structural funds defining a better model for monitoring strategic
level risks, by virtue of the strong links to programme outcomes. That said, both regulations
do not say much on wider organisation risk management of the Managing Authority or Paying
Agency. Greater consideration could also be given to enhancing the risk assessment for the
regulations to go beyond operational risks and to be more strategic in terms of the focus on
outcomes.
The role of risk in both regulations is primarily looking at the risks to funding, mainly for the
selection of inspections (on-the-spot-checks) around factors specific to the programme or
fund(s); beyond this, risk is not considered. There are many other areas of risk that will
impact on delivering the expected outcomes; change and technology are some. That said, a
greater view of risks (internal and external) and a prioritisation of these risks may allow for
some managed risks to be taken where the cost of control exceeds the value at risk – this
would require a mind-set change and a move away from the compliance regimes that are in
place for both regulations.
2.3. Control Activities
"Control Activities are the actions established by the policies and procedures to help ensure
that management directives to mitigate risks to the achievement of objectives are carried out.
Control activities are performed at all levels of the entity, at various stages within business
processes, and over the technology environment. They may be preventive or detective in
nature and may encompass a range of manual and automated activities such as
authorizations and approvals, verifications, reconciliations, and business performance
reviews. Segregation of duties is typically built into the selection and development of control
activities. Where segregation of duties is not practical, management selects and develops
alternative control activities.”
2.3.1. Control Activities – summary highlights
Given the highlights in the control environment and risk assessment sections it is perhaps not
surprising that the control activities sections has most of the markers covered and that there is
a lot of consistency between the two regulations. The areas around gifts and hospitality and
training in cash handling, this is not an issue as no EU funds are paid in cash.
5
Both regulations require management checks and inspections. The selection protocols for
inspections differ between the funds, with Agricultural funds based on a percentage selected
with structural funds inspections selected on the basis of risk. In both cases value is a key
selection criterion.
2.3.2. Control Activities – areas for consideration / consistency
Consistency between the regulations on the compliance focus of both regulations means that
the majority of the control activity elements are covered. That said a better alignment in the
agricultural regulations to the approach on managing performance indicators would be
beneficial.
The agricultural regulations could be clearer on the controls around the area of gifts and
hospitality (potential risks of bribing of officials). A requirement to retain a register of these
aligns well with the conflicts of interest requirements and should be introduced. Again the
requirement is for these to be in place, but no mention is made of how they are being used or
applied.
2.4. Information and Communication
Information and Communication. “Information is necessary for the entity to carry out
internal control responsibilities in support of achievement of its objectives. Communication
occurs both internally and externally and provides the organization with the information
needed to carry out day-to-day internal control activities. Communication enables personnel
to understand internal control responsibilities and their importance to the achievement of
objectives.”
2.4.1. Information and Communication – summary highlights
There are many areas where the regulations are unclear on the liaison and relationship
between internal and external parties, including the audit functions. The open sharing of
internal audit reports is not highlighted in either regulation and is a missed opportunity. The
lack of open sharing potentially contributes to a lack of transparency and trust between
internal and external audit.
2.4.2. Information and Communication – areas for consideration / consistency
Both regulations cover the same markers consistently. Again the emphasis is on the activities
around processing and not the wider organisation. Management information data around
people attendance, discipline issues and other behavioural impact areas is not covered.
2.5. Monitoring
Monitoring Activities. “Ongoing evaluations, separate evaluations, or some combination of
the two are used to ascertain whether each of the five components of internal control,
including controls to effect the principles within each component, are present and functioning.
Findings are evaluated and deficiencies are communicated in a timely manner, with serious
matters reported to senior management and to the board
6
2.5.1. Monitoring – summary highlights
The gaps in both regulations relate to monitoring the control environment and outside
information (complaints etc.) to also form a view of the organisation. Control effectiveness
and the completion of corrective actions are covered in both elements, but again risk is only
partially covered as this relates mainly to risk to the fund.
2.5.2. Monitoring – areas for consideration / consistency
The regulations both concentrate on monitoring what is easier to measure, but fail to
adequately cover the people elements. Control environment, change management, people
engagement are gaps in the monitoring arrangement.
When it comes to what is covered in the regulations we begin to see the earlier elements of
the control framework highlighted again in this section – risk, internal and external audit
recommendations and reports, and with follow-up the emphasis is on the fund related actions,
but not the wider organisational related points.
The lack of a clearly defined Internal Audit function within structural funds is an issue and as
any kind of assurance liaison between Internal and External audit is not possible. With
Agricultural funds both functions internal and external are defined, but the connection of
each, their plans and testing is only suggested in supporting guidance notes. There is a great
opportunity here to create stronger ties between the audit services, allowing for greater
reliance to be placed on work / testing completed, reducing the possibility of duplicating the
testing on the same transactions.
3. USING COSO
3.1. Limitations of Internal Control
The COSO framework acknowledges that there are limitations related to any system of
internal control. For example, certain events or conditions are beyond an organization’s
control, and no system of internal control will always do what it was designed to do. Controls
are performed by people and are subject to human error, uncertainties inherent in judgment,
management override, and their circumvention due to collusion.
An effective system of internal control recognizes their inherent limitations and addresses
ways to minimize these risks by the design, implementation, and conduct of the system of
internal control. However, an effective system will not eliminate these risks. An effective
system of internal control (and an effective system of internal control over financial reporting)
provides reasonable assurance, not absolute assurance, that the entity will achieve its defined
operating, reporting, and compliance objectives.
3.2. Major Deficiency
The 2013 COSO framework requires for an effective system of internal control that each of
the five components and the 17 relevant principles be present and functioning and that the five
components operate together in an integrated manner. Present means that the components and
relevant principles exist in the design and implementation of the system of internal control,
and functioning means that the components and relevant principles continue to exist in the
7
conduct of the system of internal control. A major deficiency is defined as an internal control
deficiency or combination of deficiencies that severely reduces the likelihood that the entity
can achieve its objectives. A major deficiency exists when management determines that a
component and one or more relevant principles are not present and functioning or that
components are not operating together. We can confirm all areas are covered, but to optimise
the current arrangement(s) there are areas for consideration of improvement and consistency
between these regulations, and a greater emphasis on control environment, and risk
assessment arrangements.
3.3. Transition
The explicit nature of the principles in the COSO model will require the entity to address
whether internal controls related to the relevant 17 principles are present and functioning and
to reconsider the nature and effectiveness of previously identified internal controls over
financial reporting and to identify new controls that are more effective or efficient.
Conclusion
Overall, the analysis has highlighted that these two EU regulations would benefit from
alignment in key areas – so simplification through alignment is a key message. This will be
particularly beneficial at all levels, from beneficiary up, where dual funding considerations
(e.g. EAFRD – EMFF) require slightly different controls / checks. This should also have a
positive impact on reducing error rates.
The analysis within this paper highlights that greater regulatory emphasis on establishing a
robust control environment (the 'people' dimension), setting the right ‘tone at the top’ will
allow for a more risk based approach, leading to a reduction in excessive control activities and
a more efficient, effective use of the key controls. It should also be noted that these elements
may well exist in national legislation, but even if this is the case, mention of these
requirements within the regulations, as a minimum, would enhance the internal control
arrangements underpinning the management of EU funds.
Additionally, greater alignment of the various levels of audit, internal and external, where
assurance is taken from each group, and sampling is complementary, rather than repeated will
also allow for greater efficiencies.
8
4. TOPICS FOR DISCUSSION
(1) What national level requirements exist in your country in relation to the control
environment issues highlighted through the analysis? Could and/or should these
be specifically included in the EU funds regulations.
(2) Which areas of the analysis are of most use to you, and why? How do you feel
that you could use this analysis in your country?
(3) Based on your experiences what do you see as the key areas for control
simplification / optimisation?
ANNEX 1
9
Control Environment review
Assessment Criteria Indicator of a stronger control requirement Indicator of weaker control requirement S Funds Ag Funds
1) The organisation demonstrates a commitment to integrity and ethical values.
Codes of conduct. Unit management understand the Organisation's policies governing
relationships with sponsors, suppliers, creditors, regulators, the
community, and the public at large.
Policies are poorly understood. Covered Partial
Conflicts of interests. Unit management understand the Organisation's policies regarding
potential conflicts of interest.
Policies are poorly understood. Covered Covered
Integrity. Unit management sets a good example and regularly
communicates high expectations regarding integrity and ethical
values.
Management does not set a good example and/or does not
communicate high expectations regarding integrity and
ethical values.
Covered Covered
2) The oversight body demonstrates independence from management and exercises oversight of the development and performance of internal control.
Job descriptions. Responsibilities are clearly defined in writing and communicated
as appropriate.
Responsibilities are poorly defined or poorly communicated. Partial Covered
Knowledge and Skills. Unit management (directors and supervisory staff) understand the
knowledge and skills required to accomplish tasks.
Management does not adequately consider knowledge and
skill requirements. Partial Covered
Employee competence. Unit management is aware of competency levels, and is involved
in training and increased supervision when competency is low.
Management is not adequately aware of competency levels,
or does not actively address problems. Partial Partial
Internal Audit service Independent IA service organisationally separate from operations. No IA service or service conflicted by operational
responsibilities. Unclear Covered
3) Management establishes, with oversight by the oversight body, structures, reporting lines, and appropriate authorities, responsibilities and empowerments in the pursuit of
objectives.
Complexity of the
organizational structure.
Complexity of the structure is commensurate with the
organization. Lines of reporting are clear and documentation is
up-to-date.
Lines of responsibility are unclear or unnecessarily
complicated for the size and activities of the entity. Covered Covered
10
Control Environment review
Assessment Criteria Indicator of a stronger control requirement Indicator of weaker control requirement S Funds Ag Funds
Organization charts. Documentation exists and is up to date. Documentation does not exist or is out-of-date. The
documented structure does not correspond with actual
responsibilities.
Partial Covered
Size of the management
group.
Size is commensurate with the complexity of the unit and its
growth.
Size is not appropriate (e.g., too many levels, too dispersed, or
too "thin"). Partial Partial
Stability of the
management group.
Low turnover. High turnover. Unclear Unclear
Communication with
Directors and
Organisation.
Unit management insists on full and open disclosure of financial
or business issues with appropriate directors and Organisation
personnel.
Management is secretive and reluctant to conduct business or
deal with issues in an open manner. Partial Unclear
Laws and regulations. There is active concern and effort to ensure compliance with the
letter and intent of appropriate laws and regulations.
Management is willing to risk the consequences of non-
compliance. Covered Covered
Getting the job done. Management is concerned with and exerts effort to get the job
done right the first time.
Management is willing to get the job done without adequate
regard to quality. Unclear Unclear
4) The organisation demonstrates a commitment to attract, develop, and retain competent individuals in alignment with its objectives.
Selection of personnel. A careful recruitment process is in place. The Human Resources
Department is involved in identifying potential employees based
on job requirements.
The recruitment process is informal, and sometimes proceeds
without adequate involvement by higher-level supervisors. Partial Partial
Training. On-the-job and other training programs have defined objectives.
They are effective and important.
Training programs are inconsistent, ineffective, or are given
low priority. Covered Partial
Supervision policies. Personnel are adequately supervised. They have a regular resource
for resolving problems.
Regular supervision does not exist or is ineffective.
Employees are frustrated and feel they ‘have nowhere to go’
with issues.
Covered Covered
Inappropriate behaviour. Inappropriate behaviour is consistently reprimanded in a timely
and direct manner, regardless of the individual's position or status.
Reprimands are not timely, direct, or are not consistently
applied (climate of favouritism). Unclear Unclear
11
Control Environment review
Assessment Criteria Indicator of a stronger control requirement Indicator of weaker control requirement S Funds Ag Funds
Evaluation of personnel. An organized evaluation process exists. The evaluation process is ad hoc and inconsistent.
Performance issues are not formally addressed. Unclear Unclear
Methods to compensate
personnel.
Compensation decisions are based on a formal process with
meaningful involvement of more than one level of management.
The effect of performance evaluations on compensation decisions
is defined and communicated.
Compensation decisions are ad hoc, inconsistent, or
inadequately reviewed by management. Unclear Unclear
Turnover. Particularly
turnover in financially
responsible positions.
Low turnover. Management understands root causes of turnover. High turnover. Management does not understand root causes. Unclear Unclear
Knowledge and
experience.
Key personnel are knowledgeable and experienced. Management
does not delegate authority to inexperienced individuals.
Key personnel are inexperienced. Management delegates
authority without regard to knowledge and experience. Covered Covered
Resources. Management provides the resources needed for employees to carry
out their duties.
Management does not provide necessary resources. Covered Covered
Staffing of critical
functions.
Critical functions are adequately staffed, with reasonable
workloads.
There is inadequate staffing and frequent periods of overwork
and "organizational stress." Partial Partial
5) The organisation holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Approach to financial
accountability.
Management’s approach shows concern and appreciation for
accurate and timely reporting. Budgeting and other financial
estimates are generally conservative.
Financial accountability is given low priority. Covered Partial
Delegated signature
authority.
Appropriate limits have been placed on each delegation of
signature authority. Management reviews and updates signature
records as turnover occurs.
Signature authority is delegated without adequate
consideration. Delegated authority is not in line with
employee knowledge, training, or competence.
Covered Covered
Exceptions to policy. Exceptions to policy are infrequent. When they occur they must be
approved and well documented.
Exceptions to policy are the norm and are rarely documented. Covered Covered
12
Control Environment review
Assessment Criteria Indicator of a stronger control requirement Indicator of weaker control requirement S Funds Ag Funds
Approach to decision
making.
Decision-making processes are deliberate and consistent.
Decisions are made after careful consideration of relevant facts.
Policies and procedures are in place to ensure appropriate levels of
management are involved.
Decision making is nearly always informal. Management
makes arbitrary decisions with inadequate discussion and
analysis of the facts.
Covered Partial
Delegation of authority
and assignment of
responsibility for
operating and financial
functions.
Delegation of authority and assignment of responsibility is clearly
defined. Individuals are held accountable for results.
Decisions are dominated by one or a few individuals. Roles
and responsibilities of middle management are unclear. Covered Covered
Authority limits. Authority limits are clearly defined in writing and communicated
as appropriate.
Policies and procedures covering authority limits are informal
or poorly communicated. Partial Covered
Emphasis on meeting
budget and other
financial and operating
goals.
Realistic budgets are established and results are actively
monitored. Corrective action is taken as necessary. The unit learns
from, and does not repeat, mistakes.
Management either shows little concern (climate of laxness),
or makes unreasonable demands (climate of fear). Covered Partial
Risk Assessment review
Assessment Criteria Indicator of a stronger control requirement Indicator of weaker control requirement S Funds Ag Funds
6) The organisation specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
Unit-wide objectives. A formal unit-wide mission or value statement is established and
communicated throughout the unit.
A unit-wide mission or value statement does not exist. Partial Partial
Critical success factors. Factors that are critical to achievement of unit-wide objectives are
identified. Resources are appropriately allocated between critical
success factors and objectives of lesser importance.
Success factors are not identified or prioritized. Covered Partial
Activity-level
objectives.
Realistic objectives are established for all key activities including
operations, financial reporting and compliance considerations.
Activity-level objectives do not exist. Covered Partial
13
Risk Assessment review
Assessment Criteria Indicator of a stronger control requirement Indicator of weaker control requirement S Funds Ag Funds
Measurement of
objectives.
Unit-wide and activity level objectives include measurement
criteria and are periodically evaluated.
Performance regarding objectives is not measured. Targets
are not set. Covered Partial
Long and short-range
planning.
Long and short-range plans are developed and are written. Changes
in direction are made only after sufficient study is performed.
No organized planning process exists. There are frequent
shifts in direction or emphasis. Covered Unclear
Budgeting system. Detailed budgets are developed by area of responsibility following
prescribed procedures and realistic expectations. Plans and budgets
support achievement of unit-wide action steps.
Budgets do not exist or are "backed into" depending on
desired outcome. Covered Covered
Strategic planning for
information systems.
Planning for future needs is done well in advance of expected needs
and considers various scenarios.
The information system lags significantly behind the needs
of the business. Partial Partial
7) The organisation identifies risks to the achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed.
Identification and
consideration of external
risk factors.
A process exists to identify and consider the implications of
external risk factors (economic changes, changing sponsor, student
and community needs or expectations, new or changed legislation
or regulations, technological developments, etc.) on unit-wide
objectives and plans.
Potential or actual external risk factors are not effectively
identified or evaluated. Unclear Unclear
Identification and
consideration of internal
risk factors.
A process exists to identify and consider the implications of
internal risk factors (new personnel, new information systems,
changes in management responsibilities, new or changed programs,
etc.) on unit-wide objectives and plans.
Potential or actual internal risk factors are not effectively
identified or evaluated. Unclear Unclear
Prioritization of risks. The likelihood of occurrence and potential impact (monetary and
otherwise) have been evaluated. Risks have been categorized as
tolerable or requiring action.
Risks have not been prioritized. Unclear Unclear
Process for monitoring
risks.
A risk management program is in place to monitor and help
mitigate exposures.
Exposure is dealt with on a case by case basis. Regular
efforts or programs to manage risks do not exist. Partial Partial
Approach to studying
risks.
In-depth, cost / benefit studies are performed before committing
significant unit resources.
Risks are accepted with little or no study. Unclear Unclear
14
Risk Assessment review
Assessment Criteria Indicator of a stronger control requirement Indicator of weaker control requirement S Funds Ag Funds
8) The organisation considers the potential for fraud in assessing risks to the achievement of objectives.
Fraud related risks are
considered
A risk management program is in place to monitor and help
mitigate fraud and error exposures.
Exposure is dealt with on a case by case basis. Regular
efforts or programs to manage fraud risks do not exist. Covered Covered
Consultation with
external advisors.
External advisors are consulted as needed to supplement internal
expertise.
Internal expertise regarding risk and control issues is
inadequate. Assistance is never sought from outside sources. Covered Partial
9) The organisation identifies and assesses changes that could significantly impact the system of internal control.
Commitment to change. Management promotes continuous improvement and solicits input
and feedback on the implications of significant change.
Management promotes the status quo, even when changes
are needed to meet important business needs. Unclear Unclear
Support of change. Management is willing to commit resources to achieve positive
change.
Management offers no resources to facilitate change. Unclear Unclear
Routine change. Mechanisms exist to identify, prioritize, and react to routine events
(i.e., turnover) that affect achievement of unit-wide objectives or
action steps.
Procedures are not present or are ineffective. Unclear Unclear
Economic change. Mechanisms exist to identify and react to economic changes. Procedures are not present or are ineffective. Partial Partial
Regulatory change. Mechanisms exist to identify and react to regulatory changes
(maintain membership in associations that monitor laws and
regulations, participate in Organisation forums, etc.).
Procedures are not present or are ineffective. Covered Covered
Technological change. Mechanisms exist to identify and react to technological changes
and changes in the functional requirements of the unit.
Procedures are not present or are ineffective. Unclear Unclear
15
Control Activities review
Assessment Criteria Indicator of a stronger control requirement Indicator of weaker control requirement S Funds Ag Funds
10) The organisation selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Senior management
reviews.
Senior management monitors the unit's performance against
objectives and budget.
Senior management does not monitor unit performance. Covered Covered
Top level (unit-wide)
objective performance
reviews by unit
management.
Reviews are made of actual performance compared to objectives
and previous periods for all major initiatives. Management analyzes
and follows up as needed.
Analyses are not performed or management does not follow up
on significant deviations. Covered Covered
Top level (unit-wide)
financial performance
reviews by unit
management.
Reviews are made of actual performance versus budgets, forecasts,
and performance in prior periods for all major initiatives.
Management analyzes and follows up as needed.
Analyses are not performed or management does not follow up
on significant deviations. Covered Covered
Direct functional or
activity management by
unit management.
Performance reviews are made of specific functions or activities,
focusing on compliance, financial or operational issues.
No performance reviews occur. Covered Covered
Performance indicators. Unexpected operating results or unusual trends are investigated. Operating results and trends are not monitored. Covered Partial
Accounting statements
and key reconciliations.
Accounting statements and key reconciliations are completed
timely. Management performs a diligent review and signifies
approval by signature and date.
Reconciliations are not performed timely or regularly.
Management does not carefully review or formally approve
statements or reconciliations.
Covered Covered
Sponsored project
management.
Sponsored project accounts are reviewed and reconciled. PIs certify
the expenditures timely. Unit management monitors the portfolio of
sponsored projects for compliance and fiscal responsibility.
Sponsored project accounts are not monitored; reconciliations
and certifications are not timely. Covered Covered
Use of restricted funds
(gifts).
Restrictions on use are well documented, and are understood by
employees who administer the funds. Usage is monitored by
management, accounts are reconciled.
Restrictions are not clearly documented. Restricted fund
accounts are not monitored; usage may not match restrictions. Covered Unclear
16
Control Activities review
Assessment Criteria Indicator of a stronger control requirement Indicator of weaker control requirement S Funds Ag Funds
Information processing. Controls exist to monitor the accuracy and completeness of
information as well as authorization of transactions.
No information processing controls are in place. Covered Covered
Physical controls. Equipment, supplies, inventory, cash and other assets are physically
secured and periodically counted and compared to the amounts
shown on control records.
Equipment, supplies, inventory, cash and other assets are not
protected. Control records do not exist or are not up to date. Covered Covered
Separation of duties. Financial duties are divided among different people
(responsibilities for authorizing transactions, recording them and
handling the asset are separated).
No significant separation of financial duties among different
employees. Covered Covered
Record retention. Unit employees understand which records they are responsible to
maintain and the required retention period. Records are
appropriately filed.
Unit employees do not understand which records they are
responsible for maintaining. The filing system is inadequate. Covered Covered
Disaster response plan. A disaster response and recovery plan has been developed and is
understood by key personnel.
No disaster response or recovery plan exists. Covered Covered
11) The organisation selects and develops general control activities over technology to support the achievement of objectives.
Local information
systems and LANs.
System operations are documented; software is appropriately
acquired and maintained; access to the system, programs and data
is controlled; the system is maintained in a secure environment;
applications are appropriately developed and maintained.
Inadequate controls over local information systems or LANs. Covered Covered
Back Up. Key data and programs on LANs or desktop computers are
appropriately backed up and maintained. Off-site storage is
adequate considering possible risks of loss.
No formal back up procedures exist. Management has not
informed staff of back up requirements. Covered Covered
Application controls. The unit controls its computer applications by diligent and timely
response to edit lists, rejected transactions and other control and
balancing reports. Controls ensure a high level of data integrity
including completeness, accuracy, and validity of all information in
the system.
Application controls are not used. Covered Covered
17
Control Activities review
Assessment Criteria Indicator of a stronger control requirement Indicator of weaker control requirement S Funds Ag Funds
12) The organisation deploys control activities through policies that establish what is expected and procedures that put policies into action.
Access to Organisation
policies and procedures.
Unit staff have available up to date Organisational policy and
procedures and know how to use them.
Organisation policy and procedures are not available or are
rarely used. Covered Covered
Training and guidance
for asset custodians.
Adequate guidance and training are provided to personnel
responsible for cash or similar assets.
No training or guidance is provided. Partial Partial
Unit policies and
procedures.
The unit has documented its own policies and procedures. They are
well understood by unit staff.
Unit policies and procedures do not exist. Covered Covered
Information and Communication review
Assessment Criteria Indicator of a stronger control requirement Indicator of weaker control requirement S Funds Ag Funds
13) The organisation obtains or generates and uses relevant, quality information to support the functioning of internal control.
Relevant external
information.
Unit members receive relevant information regarding legislation,
regulatory developments, economic changes or other external
factors that affect the unit.
Relevant information is not available. Covered Covered
Management reporting
system.
An executive information system exists. Information and reports
are provided timely. Report detail is appropriate for the level of
management. Data is summarized to facilitate decision making.
A formal reporting system does not exist. Reports are not
timely or are not at appropriate levels of detail. Unclear Unclear
Policy enforcement and
discipline.
Employees who violate an important policy are disciplined.
Management's communications and actions are consistent with
policies.
Violations, while not condoned officially, are often overlooked.
Management's actions are inconsistent with official policies. Unclear Unclear
Management of
information security.
Information is evaluated and classified based on level of integrity,
confidentiality and availability. Individuals with access to
information are trained to understand their responsibilities related
to the information.
Information used by the unit has not been evaluated and
classified. Employees are not trained with respect to
information security.
Covered Covered
18
Information and Communication review
Assessment Criteria Indicator of a stronger control requirement Indicator of weaker control requirement S Funds Ag Funds
14) The organisation internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
Formal communications. Formal methods are used to communicate unit policies and
procedures (e.g., manuals, training programs, written codes of
conduct, and acceptable business practices).
To the extent that they exist, policies are buried in unused
manuals and documents. Covered Covered
15) The organisation communicates with external parties regarding matters affecting the functioning of internal control.
External
communications.
Standards and expectations are communicated to key outside
groups or individuals (e.g., vendors, consultants, sponsors,
subcontractors, sub-recipients).
No external communication of standards and expectations. Covered Covered
Communication with
auditors.
Information is openly shared with outside auditors. Information is kept secret from outside auditors. Partial Partial
Monitoring Activities review
Assessment Criteria Indicator of a stronger control requirement Indicator of weaker control requirement S Funds Ag Funds
16) The organisation selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
Effectiveness of key
control activities.
Management routinely spot-checks transactions, records and
reconciliations to ensure expectations are met.
Management never performs spot-checks. Covered Covered
Management supervision
of accounting function.
Accounting policies are defined and adopted after appropriate
consideration. Policies are effectively communicated (in writing).
Policies are ad hoc or poorly communicated. Covered Covered
Management supervision
of new systems
development.
Policies are defined for developing new systems or changes to
existing systems (cost/benefit analysis, team composition, user
specifications, documentation, acceptance testing, and user
approval).
Policies and procedures are ad hoc, poorly communicated, or
ineffective. Partial Partial
Management follow-up
of violations of policies.
Timely corrective action is taken. Follow-up is sporadic. Partial Partial
19
Monitoring Activities review
Assessment Criteria Indicator of a stronger control requirement Indicator of weaker control requirement S Funds Ag Funds
External or internal audit
findings.
Findings are considered and immediately acted upon at appropriate
levels.
Consideration of findings is delegated to lower levels or is given
low priority. Partial Partial
Changes in conditions
(e.g., economy,
regulatory, technology,
or competitive).
Changes are anticipated and routinely integrated into ongoing long-
and short-range planning.
Responses are reactive rather than proactive. Partial Partial
Monitoring of control
environment.
Management periodically assesses employee attitudes, reviews the
effectiveness of the organization structure, and evaluates the
appropriateness of policies and procedures.
Assessment processes do not exist. Unclear Unclear
Evaluation of risk
assessment process.
Management periodically evaluates the effectiveness of its risk
assessment process.
Assessment processes do not exist. Partial Partial
Assessment of design
and effectiveness of
internal controls.
Internal controls are subject to a formal and continuous internal
assessment process.
Assessment processes do not exist. Covered Covered
Evaluation of
information and
communication systems.
Management periodically evaluates the accuracy, timeliness and
relevance of its information and communication systems.
Management questions information on management reports that
appears unusual or inconsistent.
Assessment process does not exist. Partial Partial
Budget analysis. Budgets are compared to actual results and deviations are followed
up on a timely basis. Adequate consideration is given to
commitments.
An analysis of actual versus budgeted results is not performed,
or management does not follow up on deviations. Covered Covered
17) The organisation evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior
management and the oversight body, as appropriate.
Industry and
professional
associations.
Data is used to compare the unit’s performance with peers or
industry standards.
Comparative data is not regularly monitored. Partial Partial
20
Monitoring Activities review
Assessment Criteria Indicator of a stronger control requirement Indicator of weaker control requirement S Funds Ag Funds
Regulatory authorities. Reports from regulatory bodies are considered for their internal
control implications.
Response is limited to what is necessary to "get by" the
regulators. Covered Covered
Sponsors, staff,
suppliers, creditors, and
other third parties.
Root causes of inquiries or complaints are investigated and
considered for internal control implications.
Inquiries or complaints are dealt with case-by-case, with little or
no follow-up. Unclear Unclear
External auditors. Information provided by external auditors about control-related
matters are considered and acted on at high levels.
Findings are referred to lower levels or are explained away. Covered Covered