Upload
mbuthiac-mbuthiac
View
225
Download
0
Embed Size (px)
Citation preview
7/31/2019 Control Risk Self Assessment Tool
1/36
MIG PROGRAMME CONTROL AND RISKSELF-ASSESSMENT WORKBOOK FOR
MUNICIPALITIES
7/31/2019 Control Risk Self Assessment Tool
2/36
WORKBOOK INDEX
A. Control and risk self assessment presentation
B. Introduction to control and risk self assessment
C. Control and risk self assessment template
D. Audit procedures
7/31/2019 Control Risk Self Assessment Tool
3/36
MIG PROGRAMME CONTROL AND RISKSELF-ASSESSMENT PRESENTATION TO
MUNICIPALITIES
PRESENTED BY THE MIG MACRO
CONSORTIUM
7/31/2019 Control Risk Self Assessment Tool
4/36
Presentation Outline
Principles of the Municipal Infrastructure Grant (MIG)
Objectives of MIG
MIG governance challenges?What is self-assessment?
Why perform a self-assessment?
Who performs a self-assessment?
How is self- assessment accomplished?
What is done with the self-assessment results?
Key questions?
7/31/2019 Control Risk Self Assessment Tool
5/36
Principles Of MIG Programme
Is a conditional grant in terms of DoRA:
n
Focus on infrastructure required for a basic level of servicen Targeting the poorn Maximising economic benefitsn
Equity in the allocation and use of fundsn Decentralisation of spending authority within national standardsn Efficient use of fundsn
Reinforcing local, provincial and national objectivesn Predictability and transparencyn Geared to achievement of objectives in one or more separate but
overlapping categories
7/31/2019 Control Risk Self Assessment Tool
6/36
Objectives Of MIG Programme
Is a conditional grant in terms of DoRA:
n
Fully subsidise the capital costs of providing basic services to thepoor householdsn Distribute funding for municipal infrastructure in an equitable,
transparent and efficient mannern Assist in enhancing the development capacity of municipalities,
through supporting multi-year planning and budgetingn Provide a mechanism for the co-ordinated pursuit of national
policy objectives with regard to basic municipal infrastructureprogrammes
n The devolution of responsibility to the lowest level
7/31/2019 Control Risk Self Assessment Tool
7/36
CRSA is a process through which internal control effectiveness is examined and assessed. The objective is toprovide reasonable assurance that all business objectives wbe met
CRSA is a process that generates information on internal control that is useful to management and internal auditors
judging the quality of business processes and controls
What Is Self-Assessment?
7/31/2019 Control Risk Self Assessment Tool
8/36
Why Perform A Self-Assessment?
The CRSA process allows management of the PMU and themunicipality directly responsible for the MIG Programme to:
n Participate in the identification and assessment of risks
n Evaluate risks
n Develop action plans to address identified weaknesses
n Asses the likelihood of achieving MIG objectives
n Measure, monitor and report on financial input and outcomes
7/31/2019 Control Risk Self Assessment Tool
9/36
Who Performs A Self-Assessment?
The CRSA process can be performed by two groups of people:
n Line management
n Internal audit
The real benefit is derived when management and staff take
ownership of the system of internal controls and uses CRSA as aproactive risk management tool that makes a difference and addsvalue to the business environment and control environment
lf l h d
7/31/2019 Control Risk Self Assessment Tool
10/36
How Is Self-Assessment Accomplished?
CRSA Approaches:n Facilitated team meetingsn The questionnaire approachn Management-produced analysis
CRSA Process:n Control-basedn Process-basedn Risk-basedn Objectives-based
We have made use of a combination model of the first three based
models
7/31/2019 Control Risk Self Assessment Tool
11/36
Process- Based Approach
MegaMega
MajorMajor MajorMajor
Sub
Activity
SuSub
ObjectivesObjectives
Controls
Controls
Controls
Risks
Risks
Risks
7/31/2019 Control Risk Self Assessment Tool
12/36
Risk - Based Approach
CRSA T l Ri k d C l
7/31/2019 Control Risk Self Assessment Tool
13/36
CRSA Template Risk and Control
CONTROL AND RISK SELF-ASSESSMENT TEMPLATE MIG PROGRAM
Inherent Risk Residual RiskMega / Major Process andRisks As Lik Imp
Leading Practice Control Actual Controls In PlaceAD NI IA
Action / Comments
STRATEGICStakeholder Management / Communication
ST1 - No or inadequatecommunication and orworking relationship betweenthe municipality and criticalexternal stakeholders (i.e.Sector Departments, Eskom,Provinces, dplg , etc.)
20 4 5 1.
A formal communicationstrategy and plan is in placewhere the critical stakeholdershave been identified
2. A review of the effectivenessof the communication processis undertaken on a regularbasis
3. Regular interfacing with theMIG Unit, SectorDepartments, provinces anddplg
4. MIG Orientation workshops5. Sector participation on PMITT
X
X
X
Action:
Responsible Person:
Due Date:
ST2 The relationship andcommunication between thePMU function and the otherdivisions/units within themunicipality is ineffective
5 5 1 1. A formal communicationstrategy and plan is in placeand has been rolled out
2. Regular meetings between thePMU function and othercritical divisions/units
3. Formal minutes of meetingsmaintained and circulated toall attendees in a timeousmanner
Action:
Responsible Person:
Due Date:
7/31/2019 Control Risk Self Assessment Tool
14/36
Internal Audit Software
I h t d R id l Ri k
7/31/2019 Control Risk Self Assessment Tool
15/36
Inherent and Residual Risk
Inherent risk before assessment of controls
Residual risk after assessment of controls
Objectives Process Controls
Inherent and Residual Risk
Risk
Residual RiskInherent Risk
What Is Done With The Self Assessment Results
7/31/2019 Control Risk Self Assessment Tool
16/36
What Is Done With The Self-Assessment Results
n Used by municipal management to improve controls, risk
management and expected outcomes
n Used by internal audit to report on control adequacy and improvescope of audit work
n Used by Audit Committee to determine control status
n Gives MIG Unit reasonable assurance and comfort
What Are The Benefits Of Self Assessment
7/31/2019 Control Risk Self Assessment Tool
17/36
What Are The Benefits Of Self-Assessment
n Attention is focused on key processes, risks and controlsn It encourages the idea that improvements to processes and control
should be continuous, empowering staff to remove inefficient orineffective practices
n It assists all employees at all levels to assume responsibility andaccountability for managing risks and effective control
n Corrective action may be more effective as staff own control andrisk improvements
n Improves managements ability to comment on the overalleffectiveness and state of internal control and risk managementn Identifies important issues fastern Provides a proactive tool to asses the control environment
7/31/2019 Control Risk Self Assessment Tool
18/36
No problem can be solved
from the same consciousnesswhich created it
Albert Einstein
Questions and Answers
7/31/2019 Control Risk Self Assessment Tool
19/36
Questions and Answers
Its a state of heart and mind and not a pure discipline
7/31/2019 Control Risk Self Assessment Tool
20/36
MUNICIPAL INFRASTRUCTURE GRANT (MIG) PROGRAMME INTERNALCONTROL AND RISK SELF-ASSESSMENT AT MUNICIPAL LEVEL
1. Introduction
The vision of MIG
To provide all South Africans with at least a basic level of service by the year 2013through the provision of grant finance aimed at covering the capital cost of basicinfrastructure for the poor. Through the application of MIG funds, Free BasicServices would be realised for the poorest of the poor, aligning national governmentsaim of poverty eradication with sector targets. The MIG has thus an overall target of removing the backlog with regard to access to basic municipal services over a 10-yearperiod.
The principles of MIG
The MIG funds that are being made available to municipalities for infrastructure, arebased on the following principles:
Providing services to the poor Providing infrastructure for basic levels of service Maximising economic benefits to communities Using funds efficiently Allocating funds equitably and in a transparent manner Decentralising the spending authorities Empowering municipalities to identify, select and approve projects
The entire approach of Municipal Infrastructure Grant (MIG) Programme is focusedon improving the capacity, efficiency, effectiveness, sustainability and accountabilityof local government. Whilst national and provincial government are responsible forcreating an enabling environment with regards to policy, financial and institutionalsupport for MIG, municipalities are responsible for planning municipal infrastructureand for utilising MIG funds to deliver infrastructure.
The MIG is a conditional grant to municipalities and thus the management of thegrant at municipal level must occur within the planning, budgeting, financialmanagement and operational arrangements at local level in terms of DoRA
7/31/2019 Control Risk Self Assessment Tool
21/36
2. Fundamentals of Control and Risk Self-Assessment
THE ROLES AND RESPONSIBILITIES OF MUNICIPALITIES
The framework of the roles and responsibilities of each sphere of governmentinvolved in the successful implementation of the MIG Programme is set out in theMIG Policy Framework [August 2003, version 8 (c)]. The Policy took cognisance of Chapter 3 and 7 of the Constitution of the Republic of South Africa, 1996, whichstates, among other, that the objectives of local government are to:
- ensure the provision of services to communities in a sustainable manner- promote social and economic development
Municipal responsibility is based on the Cooperative Governance principles reflectedin section 88 of the Municipal Structures Act (Act No. 117 of 1998) which stipulates:(1) A district municipality and the local municipalities within the area of that district municipality must cooperate with one another by assisting and supporting each other.(2) (a) A district municipality on request by a local municipality within its area may
provide financial, technical and administrative support services to that localmunicipality to the extent that that district municipality has the capacity to providethose support services.(b) A local municipality on request of a district municipality in whose area that localmunicipality falls may provide financial, technical and administrative support services to that district municipality to the extent that that local municipality has thecapacity to provide those support services.(c) A local municipality may provide financial, technical or administrative support services to another local municipality within the area of the same district municipality to the extent that it has the capacity to provide those support services, if the district municipality or that local municipality so requests.
All municipalities need to develop capacity to administer MIG funds and manageinfrastructure projects because all municipalities have to address infrastructurebacklogs of one type or another. The aim, therefore, is to establish projectmanagement capacity in all municipalities. However, some local municipalities donot at the moment have the necessary capacity to implement the MIG programme andit might take time to develop this capacity. In these cases, the approach isfor the district municipalities to administer MIG funds and to provide projectmanagement capacity until the local municipalities are able to perform programmemanagement.
7/31/2019 Control Risk Self Assessment Tool
22/36
Definition of internal control
Is a process, effected by a municipalities Councilors, executive management team,line management and other personnel, designed to provide reasonable assuranceregarding the achievement of strategic, operational and financial MIG Programmeobjectives in the following categories:
Effectiveness and efficiency of MIG Programme operations at municipal level Effective and efficient utilisation of MIG infrastructure assets and resources Reliability and integrity of MIG Programme financial and project management
and or operating systems, measuring, monitoring and reporting Compliance with applicable laws, policies and procedures surrounding the
development and future sustainability of MIG Infrastructure Assets
Internal controls are either preventive (errors, irregularities are identified andcorrected before they put the MIG funds and programme at risk) or detective (errors, irregularities are identified that have already put the MIG funds andprogramme at risk) by nature and have a direct correlation to the inherent risk exposure.
The ring-fenced municipal systems and processes together with the MIG ProjectManagement Function are responsible for establishing the required internal controlprocesses to ensure that the municipality stays on course toward fulfilling its financialand MIG Programme goals of developing the required basic infrastructure asdetermined by the provisions of the annual Division of Revenue Act (DoRA),ensuring that MIG funds have been spent for the purposes intended and that the futuresustainability .
Control And Risk Self-Assessment
Control and Risk Self-Assessment (CRSA) is a methodology used to review keybusiness objectives, risks and effectiveness of processes involved in achieving the
objectives, and internal controls designed to manage those risks. CRSA is basically aformal process that generates information on internal control that is useful to bothmanagement and internal auditors in validating the status or judging the adequacy of the control systems in place to address the identified strategic, financial andoperational risks. It can also provide a positive influence on the control environment,as operating staff (Executive Management, CFO, MIG Project Unit and the Internal
7/31/2019 Control Risk Self Assessment Tool
23/36
Increasing awareness of the MIG Programme objectives and the role of internal
control in achieving such goals and objectives. Motivating personnel to carefully design and implement control processes andcontinually improve the MIG Programme financial and operating controlprocesses.
CRSA Approaches
There are three primary CRSA approaches which are:
Facilitated team meetings Facilitated team meetings gather internal controlinformation from work teams which represent multiple levels within themunicipality (line management, office of the CFO and MIG Project Function).
Questionnaire approach This uses a survey instrument that offers opportunitiesfor simple (Inadequate, Needs Improvement and or Adequate) responses. Bothinternal audit and the business/risk process owners use the survey results to assessthe adequacy and or effectiveness of their control structure in meeting the MIGProgramme objectives and goals.
Management-Produced Analysis Is any approach that does not use a facilitatedmeeting or survey and basically makes use of an internal audit or managementapproach that producers a study of the business processes, risks and requiredtreatments (more in line with Enterprise-wide Risk Management techniques).
It is suggested that municipalities combine the first two approaches reflected above toaccommodate the specific MIG Programme and DoRA requirements and needs of dplg head office (MIG Unit) and the municipalities own control and risk assuranceneeds.
3. Control and Risk Self-Assessment Instructions
The responsibility for undertaking the CRSA process is normally shared among all
employees of the municipality. Where there is an in-house, outsourced or co-sourcedinternal audit function in place, it is suggested that the internal audit function takeresponsibility for undertaking the CRSA review. However, where there is no internalaudit function in place then the CRSA review should be undertaken by the head of themunicipal MIG Project Function, under guidance of the MIG Unit ( dplg head office).
7/31/2019 Control Risk Self Assessment Tool
24/36
Control based format This format focuses on how well the management
controls in place are actually working and which in turn are benchmarked againstthe leading practice controls that should be in place. This technique produces ananalysis of the gap between how controls are working and how managementintended these controls to work. In addition, this format can be effective inexamining soft controls such as management ethics, training and skills, etc.
Risk based format - This format focuses on identifying and managing the criticaland significant MIG Programme risks at a municipal level within therequirements of the MIG Policy and DoRA. The outcome of this technique is that
it examines the control activities to ensure that they are sufficient to address theidentified the key MIG Programme risks.
Procedure Internal Control Risk Self-Assessment
Who Must Complete the Document:
Where the municipality has a staffed-up internal audit function the head of internalaudit or where there is no internal audit function the head of the municipal MIGProject Management Unit function (PMU) must complete the CRSA making use of the electronically provided template Obtained from the dplg MIG Unit onwww. Furthermore, a combination of the Control based and Riskbased format, must be used as reflected above.
Roles and Responsibilities
Internal audit and the head of the MIG Project Management Unit Function areencouraged to use the questionnaire as the foundation to determine if a more in-depthreview of structures, processes, systems and controls are required surrounding theMIG Programme. This determination should be based on the Councils, municipalmanagers, line management and or Audit Committees experience and judgement.
The CRSA questionnaire does not take the place of the municipalitys performancemanagement system but runs alongside this system. The process is conducted withina structured environment in which the process is thoroughly documented and theprocess is repetitive as an incentive for continuous improvement. Furthermore, asCRSA is a technique that adds value to the internal auditing profession it caneffectively augment internal auditing as it judges the quality of internal controls.
7/31/2019 Control Risk Self Assessment Tool
25/36
The following table depicts the various areas of role and responsibility:
Role ResponsibilityInternal audit / MIGProject ManagementFunction
Completes CRSA questionnaire Retains original document for future reference Provides a copy and results of the control environment
status to the municipal manager and Audit Committee Sends copy to dplg MIG Unit
Project ManagementFunction
Monitors implementation of management treatmentsand or actions that explain how risks are mitigated
Retains submitted copies of completed forms andmanagement actions for future reference and for accessby internal audit
Suggests alternative procedures to the municipality Provides status of remedial action to the municipal
manager and Audit Committee
Sends copy to dplg MIG Unit
Internal audit Where internal audit does not complete the form butmanagement, internal audit verifies that the responseson the CRSA are the actual processes and that thecontrols and treatments have been implemented asstated by management
MIG Unit Assesses the impact of the CRSA reviews and theadequacy of the system of internal controls andconsolidate the areas of risk
Monitors the implementation of corrective action permunicipality
Provide holistic MIG Programme guidance and advicein a proactive manner
When To Complete The Self-Assessment:
The CRSA must be completed at least: On a bi annual basis Whenever there are significant personnel changes (MIG Project Management
Function)
7/31/2019 Control Risk Self Assessment Tool
26/36
Completing The Questionnaire:
Review the CRSA document located on www in the . Area ???????section. Where appropriate, comments have been embedded throughout thequestionnaire to provide the assessor with further explanation about the questionsshould it be required.
Making use of the Control based and Risk based approach a response to each andevery question on the CRSA questionnaire must be formally captured. Refer to the
municipalities MIG Programme, financial and supply chain management policies,procedures, or websites referenced on the questionnaire for additional information. If further clarification is needed, questions should be directed to a representative of theMIG Unit based in Pretoria and whom can be contacted on e-mail (.) oralternatively by land line during office hours ().
Any Inadequate or Needs Improvement response require an explanation in thecomment field where specific emphasis to the gap in the control is identified together
with the envisaged management plan of action to address the identified weakness/es.The responsible persons name and implementation date must also be captured.
For N/A responses, briefly explain why the question is not applicable.
Any internal control risks identified by the municipality during completion of thequestionnaire must be addressed. If at any time the municipality wishes to discuss thebest control process in which to address the risk/s, the municipality should contact itshead of internal audit and or the MIG Unit representative on ..(insert e-mailaddress).
7/31/2019 Control Risk Self Assessment Tool
27/36
CONTROL AND RISK SELF-ASSESSMENT TEMPLATE MIG PROGRAM
Inherent Risk Residual RiskMega / Major Process andRisks As Lik Imp
Leading Practice Control Actual Controls In PlaceAD NI IA
Action / Comments
STRATEGICStakeholder Management / CommunicationST1 - No or inadequatecommunication and orworking relationship betweenthe municipality and critical
external stakeholders (i.e.Sector Departments, Eskom,Provinces, dplg , etc.)
20 4 5 1. A formal communicationstrategy and plan is in placewhere the critical stakeholdershave been identified
2.
A review of the effectivenessof the communication processis undertaken on a regularbasis
3. Regular interfacing with theMIG Unit, SectorDepartments, provinces anddplg
4. MIG Orientation workshops5. Sector participation on PMITT
X
X
X
Action:
Responsible Person:
Due Date:
ST2 The relationship andcommunication between thePMU function and the otherdivisions/units within themunicipality is ineffective
5 5 1 1. A formal communicationstrategy and plan is in placeand has been rolled out
2. Regular meetings between thePMU function and othercritical divisions/units
3. Formal minutes of meetingsmaintained and circulated toall attendees in a timeousmanner
Action:
Responsible Person:
Due Date:
Policy Management
ST 3 - The municipality doesnot have the available MIGpolicy, framework, DoRA andPMU procedure, etc., in theirpossession
3 3 1 1. Municipality has identified therequired documentation theyshould have in theirpossession.
2. PMU function maintains therequired library of the MIGdocumentation and orliterature
Action:
Responsible Person:
Due Date:
1
7/31/2019 Control Risk Self Assessment Tool
28/36
Risk ManagementST4. - MIG risks have notbeen identified, assessed andincorporated into themunicipal risk assessment andor risk register
1. A formal risk managementsystem is in place and isoperational
2. MIG risks have beenidentified, assessed andranked.
3. MIG risks have been includedin the risk register
4. Internal audit reviews theserisks and controls as part of the annual audit program
5. The risk committee reviewsthe adequacy of the risk management systems andinternal audit reports on aregular basis (MIG Programincluded)
Action:
Responsible Person:
Due Date:ST5 - Line management hasnot assessed the adequacy of the system of internal controlsagainst the business risks on aregular basis
1. Quarterly review of the risksby line management (CSA)
2. Identification of control gapsand the implementation of control actions/treatments
3. Implementation of anoperational risk committee,chaired by the municipalmanager
4. Quarterly reporting to theAudit Committee and risk Committee on the status of thecontrol environment
5. External and internal auditreviews
6. Use of leading practice risk based control models (i.e.COSO, etc.)
Action:
Responsible Person:
Due Date:
2
7/31/2019 Control Risk Self Assessment Tool
29/36
BacklogsST6 - Inaccurate backlogtargets and figures
1. Formal process and reportdeveloped (backlog studies) todetermine backlog targets withimplementation plan
2. Uniform and acceptablecriteria utilised
3. Mechanism in place tomeasure and monitor theachievement of targets useof KPI dashboards andprogress on removal of
backlogs
Action:
Responsible Person:
Due Date:
Measuring & MonitoringST7 - No or ineffective MIGmeasuring and monitoringsystem in place at municipallevel
1. MIG performance part of themunicipal managers M&Mquarterly performancemeetings
2. Part of Council agenda andreporting
3. Dedicated Councilor for MIGProgramme
Action:
Responsible Person:
Due Date:FINANCIALMANAGEMENTFM 1 - Interest received onMIG funds utilised for otherpurposes other than for MIGprojects
1. Validation of MIG fundstransferred to funds received
2. Interest on MIG fundsreflected separately in thebooks of account
3. Adherence to DoRA, MIG,municipal financial policiesand procedures
4. Interest on MIG fundsreflected on monthly andquarterly DoRA returns
5. Statement on how and whereinterest was utilised
6. CSA, external and internalaudit reviews
Action:
Responsible Person:
Due Date:
3
7/31/2019 Control Risk Self Assessment Tool
30/36
FM2 - MIG funds utilised forpurposes other than for MIGprojects as per DoRA andMIG requirements
1. Effective financial accountingsystem and controls in place
2. Reconciliation between PMUfunction records and books of account on a monthly basis
3. If possible to have a separatebank account for MIG funds
4. Cash flow forecast per projectand compared with drawdownrecords
5. Adherence to DoRA, MIG,municipal financial policies
and procedures6. MIG funds received and spentreflected on monthly DoRAand project list returns
7. Regular management reviewsand sign-off by head of PMUfunction
8. Quarterly municipalmanagement performancemeetings and reports
9. CSA, external and internalaudit reviews
Action:
Responsible Person:
Due Date:
FM3 - MIG Funds over orunderstated in books of account
1. Segregation of duties2. Adherence to code of ethics
and values3. Effective financial systems
records and controls in place4. Effective expenditure and
income codes5. Comparison between WIP
records maintained by PMU
function and managementaccounts on a monthly basis
6. Regular management reviewsand sign-off by head of PMUfunction
7. Adherence to DoRA, MIG andmunicipalities financialpolicies and procedures
Action:
Responsible Person:
4
7/31/2019 Control Risk Self Assessment Tool
31/36
8. Effective delegations of authority
9. Effective working relationshipbetween CFO and head of PMU function
10. Quarterly municipalmanagement performancemeetings and reports
11. CSA, external and internalaudit reviews
Due Date:
FM4 - Financial figures andinformation on monthly
DoRA, cash flow and ProjectListing reports are inaccurateand or incomplete
1. Skilled PMU function andCFO staff
2. Reconciliation between booksof account and figuresreflected on monthly returnsby a third-party (i.e. CFO)
3. Reconciliation betweenprevious months returns andnew month figures
4. Quarterly municipalmanagement performancemeetings and reports
5. CSA, external and internalaudit reviews
Action:
Responsible Person:
Due Date:
FM5 - Compulsory MIGreporting information notsubmitted timely as per DoRAand MIG dplg requirements
1. Adherence to DoRA and MIGreporting requirements
2. Input and monitoring fromProvincial PPMU, Treasuryand MIG National
3. Quarterly municipalmanagement performancemeetings and reports
Action:
Responsible Person:
Due Date:
FM6 - Insufficient municipalfunding for M&E
1. Input from SectorDepartments on capital andmaintenance ratios.
2. Effective maintenancemanagement system and planin place.
3. Effective budgeting andmonitoring systems in place
Action:
Responsible Person:
Due Date:
5
7/31/2019 Control Risk Self Assessment Tool
32/36
OPERATIONSOP1 - MIG projects registerednot feasible or sustainable
1. Input and advice from sectordepartments.
2. Financial and projectfeasibility and sustainabilitystudies undertaken supportedby formal reports and signedoff.
3. EIA undertaken to ensurecompliance withenvironmental standards andlegislation.
4. Adherence to MIG fundingcriteria5. Effective system of M&E in
place
Action:
Responsible Person:
Due Date:
OP2 No or ineffective PMUfunction in place
1. Establishment of a PMUfunction not required to befull time or dedicated
2. Effective capacity buildingprogram in place
3. Utilisation of MIG funds torun PMU function in terms of MIG criteria and permitted %amount
4. Effective and adequateperformance managementsystem in place.
5. Effective and adequatemeasuring and monitoringsystems in place
6. Risk management systementrenched in day-to-dayactivities
7. Effective WIP accountingsystem in place
8. Use made of othermunicipalities PMU functionwhere more cost effective andor appropriate
Action:
Responsible Person:
Due Date:
6
7/31/2019 Control Risk Self Assessment Tool
33/36
OP3 - The PMU function notbeing responsible for the
administration and financialmanagement of MIG fundswithin the municipality
1. Head of the PMU functionhaving the necessary authority
to have ownership over thefunds and MIG system atmunicipal level.
2. Clear roles and responsibilities3. Effective and adequate
performance managementsystem in place.
Action:
Responsible Person:
Due Date:
OP4 - Inability to spend MIGfunding in a timeous manner
1. Effective procurement andsupply chain management
plan in place2. Effective supply chainmanagement system andprocesess in place
3. Effective contract and projectmanagement systems in place
4. Effective financial measuringand monitoring system inplace (WIP) includingbudgeting system
5. Reporting and action plans tomitigate the risks
6. Effective follow-up oncorrective action anddetermining if results havebeen achieved
Action:
Responsible Person:
Due Date:
OP5 Project overruns (Timeand financial)
1. Effective contract and projectmanagement systems in place
2. Effective financial andoperational measuring andmonitoring system in place
(WIP) including budgetingsystem and managementaccounts
3. Effective monthly financialand payment authorisationsystems and controls in place
Action:
Responsible Person:
Due Date:
7
7/31/2019 Control Risk Self Assessment Tool
34/36
OP6 - PMU function nothaving an effective project
management system in place
1. Formal project managementpolicy and procedures in place
2. Formal project charters inplace for each and everyproject
3. Coordinating and roll out of SMIF business plans
4. Formal project managementsystem in place (i.e. Summit,Prince2, etc.)
5. Effective file managementsystem in place
6.
Effective quality managementpolicy and systems (QMS) inplace
7. Regular site visits andmeetings to determineperformance to targets andmilestones
8. Formal site meeting minutesand governance practices
9. Follow-up on corrective action10. Effective risk management
system in day-to-day activitiesincluding SHE
11. Data capture, updating of alldata and KPIs on MIS
12. Monitoring and consolidatingof cash flow reports andexpenditure of each project
13. Accepting only originalinvoices, VAT numbers,supporting documentation, etc
14. Effective reporting system inplace monthly progressreports
15. Legal compliance reviews16. Site handover meeting17. Provincial intervention for non
performance
Action:
Responsible Person:
Due Date:
8
7/31/2019 Control Risk Self Assessment Tool
35/36
OP7- PMU function notapplying appropriate contract
management practices forMIG projects
1. Adherence to municipalitiesprocurement policies and
procedures as well asdetermining those labourintensive projects
2. Formal and legal contractsentered into for all contractsawarded externally togetherwith project charters
3. Legal expertise input andapproval
4. Contracts to be explicit with
penalty clauses, project defectliabilities, etc cognisancetaken of contractors businessstatus (Pty, CC, sole trader,unregistered, social initiative,etc.)
5. Ensuring that suppliers havethe ability and capacity todeliver on the project mandate
6. SLAs entered into whereservices and construction is tobe undertaken internallywithin the municipality
7. Use of an effective costingsystem to determine internalcosts
8. Community basedpartnerships
Action:
Responsible Person:
Due Date:
OP8 - An effective M&Esystem not in place for
measurement, reporting &feedback on the progress withMIG objectives andinfrastructure projects?
1. Formal M&E policy andprocedures in place
2. Formal M&E system andplans in place.3. Updated asset registers4. Effective costing and
budgeting system in place5. Capital replacement and
or rehabilitation coststaken into account
Action:
Responsible Person:
Due Date:
9
7/31/2019 Control Risk Self Assessment Tool
36/36
KEY DescriptionInherent Risk Risk without taking the controls into account
AS Risk AssessmentLIK LikelihoodIMP Impact
Residual Risk Risk after taking controls into accountAD AdequateNI Needs ImprovementIA Inadequate
Risk Ranking Risk ranking scoring mechanismHigh Impact X Likelihood = Risk Assessment
Medium Impact X Likelihood = Risk AssessmentLow Impact X Likelihood = Risk Assessment
10