OECD - Public Internal Financial Control Report

8/12/2019 OECD - Public Internal Financial Control Report

1/110

!"#$%& ()*+,,"- .&%%"/ 0&11&*- 2$$3"% 4+- !+*+ 2$)%5

6)71"8 9%,&*%+1:"%+%8"+1 ;$%,*$1;$#&1$


2/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

@


3/110


4/110


5/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

L

4&%-)%-.

K.D'+C734%3/3'*) OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO A

-J3.


6/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

b

52/().

?&=73 @" 0#H# .+/2+'3'*) OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO @^

?&=73 A" R'*3$6(3C W


7/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

]

89)#0-7:) .0,,23;

?F() 2$+M3.* () & M+('* ('(*(&*(63 +, *F3 I+'4+' H.F++7 +, -.+'+/(.) 8IH-9 N&)*3$ +, ;


8/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

^

?F() 2$+M3.* &'4 *F3 $3)


9/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

_

>? @%-)3%2( #&%-3&( 7% -1) #&%-)9- &A =0/(7# A7%2%#72( ,2%2+),)%-

?F() )3.*(+' 43,('3) ('*3$'&7 .+'*$+7 &) &' ('*3%$&7 2&$* +, +$%&'()&*(+'&7 2$+.34$/=*-< =*#8 A*#$"#4&'5 +

*6 ,%$$% $664:4$":< &"-

:**%-4"*" *" #8$ *"$

8&"-@ &"- *6 ,%$$%

5$"54#4B4#< #* 5*:4&'

%$5A*"54=4'4#< 4553$5 *" #8$

*#8$%? 8;+C3$: A``^: 2O L`9


10/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

a

?F3 &7(%'/3'* +, &.*(6(*(3) *+ /&'&%3/3'* 2+7(.(3) 80#H#: @aaLf RV?#HKR: A``L=f RV?#HKR:

A`@`f RYK0: A`@`9

?F3 &))


11/110


12/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

@@

/&'&%3/3'* &'4 /+'(*+$('% 8X+%%3**: @aa]9O ?F3$3,+$3: %(63' *F3 '334 ,+$ .+'*$+7 *+ =3

/&('*&('34 CF(73 (' & 43.3'*$&7()34 &$$&'%3/3'*: *F3 .


13/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

@A

.3'*$&7 ('2


14/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

@P

8RV?#HKR: @aab: 2O Ab9: &..$


15/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

@L

R' )


16/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

@b

2


17/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

@]

F?


18/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

@^

?.)"$


19/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

@_

K'+*F3$ 43637+2/3'* (' *F3 3&$7E A```c) C&) *F3 3)*&=7()F/3'* +, *F3 /


20/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

@a

6&7


21/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

A`

#-05 %+63$'/3'*): &77 +, CF(.F /&E =3 3W


22/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

A@

7(D37E *+ 36+763 +63$ *(/3h 843 [+'('%: A``^ 2O PP9O ?F() $3)3&$.F F&) 3)*&=7()F34 *F&* ('*3$'&7 .+'*$+7

() .+'4


23/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

AA

?$3&)3'3$&7 K..+3'3$&7 +, 0&'&4& () *+

2$+6(43 g%+63$'/3'*1C(43 73&43$)F(2 &'4 ,


24/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

AP

,('&'.(&7 /&'&%3/3'* &'4 ,('&'.(&7 $32+$*('% 8?$3&)


25/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

AL

UKR 2$+/+*3) &+63$'/3'*

&'4 R'*3$'&7 K3'3$&7 K..+K#9O ?F3 +63$&77 )*&'4&$4) ,+$ ('*3$'&7 .+'*$+7 &$3

2$+/


26/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

Ab

*F3 $37(&=(7(*E +, ,('&'.(&7 $32+$*('%f &'4 .+/27(&'.3 C(*F 73%()7&*(+': $3%


27/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

A]

%+63$'/3'* %&('34 ('4323'43'.3 &'4 )*$3'%*F3'34 *F3($ 2$+,3))(+'&7()/O g?F3 F3&4) +, RKS) &$3

*+ =3 $3.$


28/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

A^

R' Y$&'.3: *F3 @aL] &'4 @ab_ Y$3'.F .+')*(*3$/&' HKR: U


29/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

A_

@%-)3:7)'. '7-1 =0/(7# .)#-&3 =3&A)..7&%2(.

R'*3$6(3C) C(*F & '3'3$&7 +, 0&'&4& C+$D 7(D3 & e03'*$&7 X&$/+'()&*(+' S'(*c (' *F&* (* C+$D)

*+C&$4)


30/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

Aa

I? J)-1&*&(&+;

?F3 ,+77+C('% +


31/110


32/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

P@

4().


33/110


34/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

PP

/#;(-$ M= G$7A0%7$ >.&. A0#%&7 0% (63' *F3 .+/2+)(*3 '&*


35/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

PL

$(%+


36/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

Pb

*+ /3'*(+' *F&* *F() /3*F+4+7+%E +


37/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

P]

+, *F3 =


38/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

P^

`

@

A

P

L

b

]

^

_

a@`

@@

@A

@P

@L

@b

@]

@^

`aOK22$+2$(&*3'3))+,$3)2+')3)*+$()D80+'%$ B-04 A.7& #4A"$4$%&.%7 0B

7#4#".- -$7A0%7$7`

A" E3): *F3$3 () & .+')()*3'* &'4 3J27(.(*

&..+


49/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

L_

_0L 0B&$% #7 *07& )$%$B#& .%."K7#7 (7$> .7 .%

$"$4$%& 0B .77$77#%; -#7H -$7A0%7$`

;$+2+$*(+' +, $()D *$3&*/3'*) *F&* &$3 )


50/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

La

M? 8:2(02-7&% &A =3&D)#- 2%* %)9- .-)=.

U37+C () *F3 4().


51/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

b`

%3'3$&*3 )D3C34 +$ =(&)34 $3)


52/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

b@

+, &.&43/(. $3)3&$.F (' ('*3$'&7 .+'*$+7O B(*F $3%&$4) *+ ,


53/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

bA

4&%#(0.7&%

?F() 2$+M3.* () *F3 ,($)* +, (*) D('4 (' *F&* (* &**3/2*) *+ 43637+2 .+/2+)(*3 ('4(.&*+$) +, ('*3$'&7

,('&'.(&7 .+'*$+7 ,+$ *F3 2


54/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

bP

N7/(7&+32=1;

K77&': NO: T


55/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

bL

0


56/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

bb

>K#O 8@aaa9O 7#&"-&%-5 6*% 4"#$%"&' :*"#%*' 4" #8$ 6$-$%&' ,*B$%"/$"#O B&)F('%*+': 5O0O" S'(*34

H*&*3) >+63$'/3'* K..++63$'/3'* K..++C3$O

>


57/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

b]

RYK0O 8A`@`9O h&"-=**1 *6 4"#$%"*"&' \3&'4#< :*"#%*'@ &3-4#4",@ %$B4$0@ *#8$% &553%&":$@ &"-

%$'$- 5$%B4:$5 A%*"*3":$/$"#5O V3C Z+$D" VZ: R'*3$'&*(+'&7 Y343$&*(+' +, K..+#l}a@``}-O24,

RV?#HKRO 8A`@`9O !77;! RSSU .4"&":4&' ;3-4# 234-$'4"$ + 2'*55&%< *6 J$%/5 #* #8$ !KJ]7;! .4"&":4&'

;3-4# 234-$'4"$5O T3*$(3634 @@ #.*+=3$ A`@@: ,$+/

F**2"iiCCCO())&(O+$%i/34(&8_``:@`PP9iRHHKR}@``P}-}-'4+$)3/3'*}63$)(+'O24,

RV?#HKRO 8'O4O9O 234-&":$ 6*% %$A*%#4", *" #8$ $66$:#4B$"$55 *6 4"#$%"&' :*"#%*'_ 7;! $GA$%4$":$5 4"4/A'$/$"#4", &"- $B&'3", 4"#$%"&' :*"#%*'5O T3*$(3634 _ #.*+=3$ A`@@: ,$+/

F**2"iiCCCO())&(O+$%i/34(&8b^b:@`PP9iRV?#HKR}>#l}a@@`}-O24,

RV?#HKRO 8'O4O9O !"#$%"&' :*"#%*'_ A%*B4-4", & 6*3"-*" 6*% &::*3"#&=4'4#< 4" ,*B$%"/$"#DT3*$(3634

_ #.*+=3$ A`@@: ,$+/ F**2"iiCCCO())&(O+$%i/34(&8b^]:@`PP9iRV?#HKR}>#l}aA@`}-O24,

RV?#HKRO 8'O4O9O .3%#8$% 4"6*%/*" *" $"#4#< %451 /&"&,$/$"#D T3*$(3634 _ #.*+=3$ A`@@: ,$+/

F**2"iiCCCO())&(O+$%i/34(&8b^^:@`PP9iRV?#HKR}>#l}a@P`}-O24,

RV?#HKRO 8'O4O9O !"#$%"&' ;3-4# !"-$A$"-$":$ 4" #8$ 93='4: 7$:#*%DT3*$(3634 _ #.*+=3$ A`@@: ,$+/

F**2"iiCCCO())&(O+$%i/34(&8_`@:@`PP9iRV?#HKR}>#l}a@L`}-O24,


58/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

b^

RV?#HKRO 8'O4O9O )*O*%-4"*" &"- :*O*A$%*" =$#0$$" 73A%$/$ ;3-4# !"5#4#3#4*"5 &"- 4"#$%"&'

&3-4#*%5 4" #8$ A3='4: 5$:#*%DT3*$(3634 _ #.*+=3$ A`@@: ,$+/

F**2"iiCCCO())&(O+$%i/34(&8_`A:@`PP9iRV?#HKR}>#l}a@b`}-O24,

R+'3).


59/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

b_

N.0


60/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

ba

T&F&/&': KO HO: | I&C$3'.3: HO 8A``@9O K '3%+*(&*34 +$43$ 23$)23.*(63 +' 2


61/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

]`

"==)%*7#).

"==)%*79 >E 5)3,. &A 3)A)3)%#)

?F3 ,+77+C('% )F+C) *F3 *3$/) +, $3,3$3'.3 &) &%$334 &* *F3 +')3* +, *F3 2$+M3.*O X+C363$: +63$ *F3

.+


62/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

]@

B3 C(77 36&7


63/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

]A

1$&J0>0"0;K

I(*3$&*


64/110


65/110


66/110


67/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

]]

6$B#*#$%*K K 23$.3(634: 2+*3'*(&7 +$ $3&7 ('*3$'&7 .+'*$+7

)F+$*.+/('% +$ &' +22+$*


68/110


69/110


70/110


71/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

^`

"==)%*79 IE @%.-30#-7&%. A&3 =0/(7# .)#-&3 =3&A)..7&%2(.P A))*/2#$

?F3 ,+77+C('% () *F3 4+.


72/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

^@

i. Clarity of questions, responses and the corresponding explanations

ii. Relevancy and appropriateness of indicators as part of the dimension as well as in general

with respect to internal control

iii. How realistic responses are in terms of capturing the true range of potential responses

iv. Level of detail of the questions, responses and explanations (for example, too detailed orbroad)

v. How realistic it is for a line ministry to be able to respond accurately to the survey in a timely

manner

vi. Which ministries should receive the survey (based on size of budget allocation or other

criteria)

vii. At which level of government the survey should be distributed to although we have indicated

that we intend to distribute the survey to a selection of individual ministries, this may not be

the best or most efficient way to obtain the relevant information. We would appreciate your

professional insights.

Moreover, we would highly appreciate any other comments and feedback. Please provide general

feedback within the large blue box below. Please provide your comments regarding individual

indicators within the comment boxes below each indicator. We would like to thank you very much in

advance and hope to hear from you by Friday the 15th of February, 2012. However, if this is not

possible, we would appreciate your response at your earliest convenience.

"==)%*79 LE G0/(7# .)#-&3 =3&A)..7&%2(.

U37+C () *F3 .+/273*3 7()* +, 2


73/110

'()"#* ,%&$-%." /#%.%*#." !0%&-0" 0&2)*+'3

^A

d$-4.%K

PO -)*F3$ N3E3$: T3,3$&* @AL T36()(+': U$$3.+: H3%$3*&$(&*+ %3'3$&73: H3$6(\(+ 4( .+'*$+77+ 4377& %3)*(+'3: 0+$*3 43(

.+'*(

_O N&$.377+ U3))+'3: S,,(.(+ lRRR d R')23**+$&*+ %3'3$&73 4( Y('&'\& T&%(+'3$(& %3'3$&73 4377+

H*&*+ N('()*3$+ 4377c3.+'+/(& 3 43773 ,('&'\3

30(&J 80-$.

aO HOZO G3+'%: X3&4 +, T3)3&$.F ?3&/ P: T3)3&$.F R')*(*


74/110

01. Extent of IC procedures' formalisation

1. Does the entity have well defined reporting procedures in place?

2: Very well defined and formalised in writing;1: somewhat informal;0: no defined reporting procedures

Reference category: Control EnvironmentReporting procedures are one of the strategies used to establish effective communication betweenmanagement and staff. Reporting allows for monitoring of staff activities. It also ensures that staff roles andresponsibilites are carried out in an effective manner (INTOSAI, 2004, p. 20). Since reporting procedures arean internal control activity, if there are well defined procedures in place, this indicates a high level offormalised internal control procedures.

2. At what levels are internal control procedures defined?

2: At all levels within the entity;1: some levels;0: not defined at any level

Reference category: Control EnvironmentIf internal control procedures are defined at all levels wtihin the entity this means there is a higher extent offormalisation of internal control procedures (INTOSAI, 2004, p.6). 'All levels' refers to the ministerial level (top-management), departments within the ministry, as well as units within departments.

3. Is there a formal definition of internal control?

1: Yes (please specifiy in what document or policy the definition can be found);0: No

Reference category: Control EnvironmentInternal control is embedded in the day-to-day activities of an entity (COSO, 1994). Consequently, it may bethe case that there is no explicit definition of internal control. A defintion of internal control could encompasswhat internal control is and what the goals of internal control are. Hence, if there is a formal definition, there isa higher level of formalisation of internal control.

4. Is there a formal definition of internal audit?

1: Yes (please specifiy in what document or policy the definition can be found);0: No

Reference category: Control EnvironmentInternal audit is part of internal control and plays a key role in supporting the functioning of the controlactivities (INTOSAI, 2004). A defintion of internal audit could encompass what internal audit is and what thegoals of internal audit are. Hence, if there is a formal definition of internal audit, there is a higher level offormalisation of internal control.

73


75/110

5. Is there a specific policy outlining how control activities are to be carried out?

2: Yes, written down (and orally);1: Yes, orally only;0: No

Reference category: Control ActivitiesControl activities "help ensure that necessary actions are taken to address risks to achievement of theentity's objectives" (COSO, 1994, p.4). Thus, they are a key part of the internal control. Consequently, theexistence of a specific policy outlining the way control activities are to be carried out implies greaterformalisation of internal control.

6. Is there an individual and/or unit in charge of internal control in the entity?

Yes/No

Reference category: Ministry/DepartmentInternal control is embedded in the day-to-day activities of an entity; hence the line management is primarilyin charge of carrying it out (COSO, 1994). However, it may be the case that an individual or a unit is directlyresponsible for internal control, for instance by defining standards or control activities. In this case, internalcontrol is more formalised.

7. Is there a formal internal audit function?

Yes/No

Reference category: Ministry/DepartmentInternal audit plays a key role in supporting the functioning of internal control by evaluating the effectivenessof control activities (INTOSAI, 2004). The existence of a formal internal audit function, hence, means a higherlevel of formalisation of internal control.

8. Does the head of internal control and internal audit sign a statement outlining their responsibilities?

2: yes, formal, legally binding statement;1: yes, formal statement not legally binding;0: no

Reference category: Control EnvironmentIn some countries, the relevance of the internal control and internal audit function is emphasised via a formalacknowledgement of roles and responsibilities of the staff ultimately responsible for the internal control andinternal audit. One way to do to is by requiring the signature of a formal statement. The existence of suchrequirements signals higher formalisation of internal control.

02. Extensiveness of internal control activities

9. Are there multiple checks (otherwise referred to as redundancy checks) whereby more than one personsigns off on transactions?

74


76/110

2 : Yes, for all transactions;1: Yes, for all transactions above a given threshold (please specify the threshold);0: No

Reference category: Control ActivitiesRedundancy checks are an internal control activity (INTOSAI, 2004, p.29). Redundancy is one of the possible

solutions to the problem of accountability, in which overlapping (and ostensibly superfluous) accountabilitymechanisms reduce the centrality of any one of them (Scott, 2000, p. 52). These procedures may be set inplace for every transaction or for a relevant subset. Consequently, an higher share of transactions that aresubject to redundancy checks indicates a more extensive internal control. This indicator aims to capture thisphenomenon by assigning a higher score (2) in case redundancy checks are set in place for everytransaction. 1 point is assigned when only a subset of transactions is subject to redundancy check. No pointis assigned if no redundancy check is provided.

10. Is there periodic comparison of physical assets recorded in the accounting system with the actual physicalassets?

4: Yes, periodically for every asset;3: Yes, periodically for a sample;2: Yes, irregularly for every asset;1: Yes, irregularly for a sample;0: No

Reference category: Control ActivitiesAlthough internal control is highly focused on monetary transactions, non-monetary f lows are also veryimportant (UN SNA, 2008). Hence, an extensive internal control system should be able to monitor bothmonetary and non-monetary transactions. This indicator highlights how frequently and comprehensively theentity verifies that records and physical assets match. This is a form of verification and reconciliation(INTOSAI, 2004, p.30).

11. Are value-for-money (economy, efficiency, effectiveness) assessments carried out within the entity?

3: systemically (very regularly on a set schedule)2: occasionally (regularly, but on an ad hoc basis);1: rarely (very infrequent);0: never

Reference category: Control ActivitiesIn the past decades, following the theories of New Public Management, many countries have attempted toreform the public sector to enhance the focus on performance (Holmes, 1992; Hood, 1991, 1995). One way todo so has been strengthening the link between policy and accounting with the introduction of value-for-money(VFM) auditing (Jacobs, 1998). Therefore, the introduction of VFM broadens the boundaries of the controlactivities (INTOSAI, 2004, p.30). This indicator aims to capture the extensiveness of the VFM evaluation,along a continuum going from systematic assessments to none.

12. How many days of professional development training per staff (on average) are provided each year by theentity?

4: More than 10 days;3: 6 to 10 days;2: 2 to 5 days;1: 1 day;0: none

75


77/110

Reference category: Control EnvironmentProviding staff members with professional development training can be considered an internal control activity.Development training helps in qualifying staff better for their jobs and provides incentives for goodperformance. If staff are fully qualified and up-to-date on professional standards this will reduce risk of poorperformance due to staff incompetency. (INTOSAI, 2004, p.20)

13. Are staff responsibilities clearly defined?

4: Yes, written down and reviewed more than once a year;3: Yes, written down and yearly reviewed;2: Yes, written down;1: Yes, communicated orally;0: No

Reference category: Control EnvironmentControl activities need a set of preconditions in order to function properly. One such precondition is thepossibility to make actors accountable. In turn, accountability depends on the clarity of responsibility, whichis the possibility to clearly identify roles and performances (Sbragia, 2007, Tavits, 2007) and to avoidproblems of blame shifting (Hood, 2003). Consequently, clear and well defined roles allow the internal controlactivities to be more extensive and detailed. In this case, the formal specification of roles and the presence ofa revision process are associated with a more extensive internal control system (INTOSAI, 2004, p.31).

14. What are the management's decision criteria to ensure that necessary resources are allocated to the ICsystem?

(open question) -

Reference category: Ministry/DepartmentAs any other activity in an entity, the functionality of internal control is conditional on the allocation of thenecessary resources, in terms of personnel, expertise, funds, and technology. Consequently, theextensiveness of the internal control is a function of the level of resources assigned to it. This indicator aimsto identify the existence of specific criteria to ensure that the resources that are allocated to the IC systemare sufficient to ensure its functioning. Examples of such criteria are that resources may be allocatedaccording to the level of risk of the activity or by the percent of the budget consumed by the activity.

15. Are routine evaluations made to monitor how well employees are achieving performance targets?

2: formalised and regular employee evaluations to monitor whether performance targets are achieved;2: Informal but regular evaluations;1: formalised but irregular employee evaluation;1: Informal ad hoc evaluations;0: no evaluations

Reference category: Control ActivitiesPerformance targets help identify the actual results of the single components of the organization, vis--vis theexpected ones. An extensive and regular assessment of these results helps identify unexpected trends andthe underlying phenomena that can jeopardize the achievement of the overall objectives (COSO, 1994). Thus,the extensiveness of internal control activities is a function of the existence of routine employee evaluations.

Performance appraisals are a good reminder to staff of their obligations (INTOSAI, 2004, p.19).

03. Involvement of top management in control activities

76


78/110


79/110

quantitative values.

20. Does the top management modify the entity's operating decisions based on poor performance?

2: yes, policies are always amended, carried on or dropped due to performance assessment;1: yes, they are sometimes amended;0: no, top management does not modify the operating decisions based on poor performance

Reference category: Control ActivitiesTop management may use the results of performance assessments to inform their decisions regarding theoperations of the entity. This indicator captures the extent to which top management adjusts entity operatingsystems due to poor performance. The more they adjust operations, the more they are involved in internalcontrol of the entity, as poor performance is a significant risk to reaching overall entity objectives. In thiscontext performance is taken to be the results of value-for-money assessments, compliance or regularityaudits and other measures of performance (INTOSAI 2004 p. 30).

04. Appropriate and achievable setting of targets and objectives

21. Does the entity check/evaluate internally whether they are setting realistic performance targets?

2: yes, formal and regular evaluation conducted;1: yes, occasional process of evaluation;0: no

Reference category: Control EnvironmentBy keeping their performance targets realistic, an entity can ensure efficient progression towards objectives.Moreover, it will reduce the likelihood of unethical behavior among employees. "Sett ing realistic performancetargets [!] reduces counterproductive stress as well as the incentive for fraudulent financial reporting thatunrealistic targets create" (COSO, 1994, p.25). It is desirable for a entity to conduct an internal evaluation ofwhether their targets are realistic and achievable. The more formal and periodic the internal evaluation is, themore likely targets will allow for progression towards objectives and serve as a safeguard against incentive forimproper and undesirable behavior.

22. Are high-level targets aligned with entity-wide objectives?

2: targets developed to be very closely aligned with obejectives;1: targets somewhat aligned with objectives;0: targets not closely aligned with objectives at all

Reference category: Control EnvironmentEntity-wide objectives are represented by the entitys mission and value statements, and they lead to thedevelopment of an overall strategy (COSO, 1994, p.33). Following the entity's overall strategy, more-specificobjectives and corresponding high-level targets to meet these objectives are established. Developing targetsthat are consistent with entity-level objectives is a desirable condition for the entity to identify critical successfactors and thus achieve their objectives. This indicator captures the extent to which targets are developed to

be aligned with entity-wide objectives. The more closely aligned targets are with entity-wide objectives, theless likely the entity encounters the risk of failing to achieve their objectives.

23. Do risks and internal control impact the setting of policy objectives?

78


80/110

2: yes, IC is an integral part of objective setting processes;1: Yes, IC is somewhat considered in objective setting;0: no

Reference category: Risk Assessment

In achieving objectives, an entity encounters risks at all levels within their organisation. Although internalcontrol cannot perfectly eliminate all risks for the entity, it certainly reduces risks and helps the entity achieveits objectives (COSO, 1994, p.6). Hence, if an entity's objective setting process is closely related with risksand IC, it is more likely to be able to achieve its objectives.

24. Are the entity-wide policy objectives clearly defined?

2: yes, objectives are defined in a written format;1: somewhat defined in a written forma;t0: not defined in a written format

Reference category: Risk AssessmentSetting clearly defined entity-wide objectives helps identify critical risks and success factors to achievementof the objectives. In addition, as internal control relies on checks and balances among employees at all levelswithin an entity, explicitly stated objectives are likely to provide a clear understanding of roles andresponsibilities of different personnel in achieving common objectives (COSO, 1994, p.89). If objectives areclearly explained in a written format, they are likely to serve as points of reference for the expectation of staffperformance and evaluation.

25. How specific are entity-wide policy objectives?

Percentage of objectives quantified (100% = 10, 50% = 5, etc.)

Reference category: Risk AssessmentSpecificity of objectives enables an entity to better identify different kinds of risks to achievement of theirobjectives. Therefore, the more specific an entity's objectives are, the more it is likely to achieve itsobjectives. This indicator assesses how specific objectivies are, capturing the percentage of objectives thatare written in quantitatively measurable terms.

26. At the entity level, is there a procedure for performance reviews to assess the progress towards targets?

2: yes there is a procedure which extensively uses quantifiable indicators of performance;1: yes there is a procedure but with few quantifiable indicators;0: no

Reference category: Control ActivitiesSetting measurable targets that align with overall objectives provides an entity with a clear direction, towardwhich it moves in conducting its activities and achieving objectives (COSO, 1994, p.39). The extent to whichthese measurable targets are being reached can be assessed by formal performance reviews. If aperformance review exists there will therefore be more appropriate and achievable setting of targets and

objectives. A performance review procedure which uses quantifiable indicators of performance is likely tobetter assess an entity's progress towards meeting their targets than a procedure which does not or barelyuse quantifiable indicators does.

27. At the unit level, is there a procedure for performance reviews to assess the progress towards targets?

79


81/110

2: yes there is a procedure which extensively uses quantifiable indicators of performance;1: yes there is a procedure but with few quantifiable indicators;0: no

Reference category: Control ActivitiesThis is the same question as the one above, but looks at the unit level.

28. How closely are unit-level objectives aligned with entity-wide objectives?

2: unit level objectives are very closely aligned with entity objectives;1: unit level objectives are somewhat aligned with entity objectives;0: unit level objectives are not closely aligned with entity objectives

Reference category: Control EnvironmentThe objectives of internal units and functions must be aligned with entity-wide objectives (COSO, 1994, p.38). Linkage of unit-level objectives with entity-level objectives and overall strategic plans is likely to reducerisks to achievement of objectives.

05. Staff awareness of IC

29. Is there a code of conduct?

2: yes, written formally,1: yes, orally;0: no

Reference category: Control EnvironmentStaff members contribute significantly to internal control. Internal control is an explicit or implicit part ofeveryones duties and all staff members play a role in effecting control. (INTOSAI, 2004, p. 43) The indicatorlooks at whether there is a formalised code of conduct in place which ensures that staff can always refer backto a document which implies high awareness of internal control. An orally communicated code of conduct mayproduce more ambiguity and more difficulty in accessing and referring back to the code of conduct.

30. Is there training on ethics?

3: regularly (once a year or more often);2: sometimes (less than once a year);1: once when staff join;0: there is no training on ethics

Reference category: Control EnvironmentInternal control is closely linked to ethics. Providing training can raise the awareness of public servants of the

internal control objectives and, in particular, the objective of ethical operations, and helps them to understandthe internal control objectives and to develop skills to handle ethical dilemmas (INTOSAI, 2004, p. 18).

31. Are staff made aware of internal control procedures?

80


82/110

3: regularly (once a year or more often);2: sometimes (less than once a year);1: once when staff join;0: staff are not explicitly made aware of IC procedures

Reference category:Control Environment

Staff need to understand the internal control procedures in order to carry them out successfully. This requiresthat they are made aware of these procedures (INTOSAI, 2004, p. 39 & p. 43). This indicator measures theextent to which staff are made aware. There are different ways of providing this awareness, for instancethrough workshops or training. What is crucial with respect to staff awareness of internal control is theregularity of such workshops or trainings to remind staff of the current procedures.

06. Extent of Information Systems utilisation

32. Does a management information system (MIS) exist at the unit level?

3: yes, operational in all or most units;2: yes, operational in some units, and in the process of planning and/or development in others;1: in the process of planning and/or development;0: no MIS exists at the unit level

Reference category: Info and CommunicationControl activities significantly rely on the flow of relevant information (COSO, 1994; ISO, 2009). Hence, theexistence of a management information system is particularly critical. "Organisations have becomeincreasingly dependent on computerized information systems to carry out their operations and to process,

maintain, and report essential information. [...] Information systems is an integral part of most controlactivities" (INTOSAI, 2004, p. 32).

33. > Is the management information system (MIS) responsive to changes in the business environment?

2: the MIS is responsive whenever there is a change in the business environment;1: the MIS is sometimes responsive to changes in the business environment;0: the MIS does not take into consideration changes in the business environment

Reference category:Info and Communication

Ideally, the MIS should ensure that relevant information flows across the entity, informing decision makers ina timely and comprehensive manner. As the business environment is consistently changing, the informationsystem may need to adapt its technical capabilities or the way in which information is collected anddisseminated. Changes in the business environment may include: external as well as internal changes thataffect the way the business operates. If the MIS is responsive to the business environment, this indicatesthat the system is utilised to a greater extent and allows decision makers to make more appropriate choices.

34. > How comprehensive is the management information system (MIS): to cover operational, financial andevaluative functions?

3: the MIS covers all aspects of operational, financial and evaluation functions;2: the MIS covers two of the three functions (specify which!);1: the MIS covers one of the three functions (specify which!);0: the MIS does not incorporate operational, financial and evaluative functions (please specify what the MIScovers)

81


83/110

Reference category: Info and CommunicationIf the MIS is more comprehensive, it will cover a greater amount of information and thus, there is greaterlikelihood that it will be utilized. The more comprehensive the MIS, incorporating different types of information,the greater the availability of information within the entity. Future decision making in the management offinancial resources can be taken from a more informed position (INTOSAI, 2004, p. 37). Responses to this

indicator capture the comprehensiveness of the MIS without placing specific value on any one type ofinformation (i.e. operational, financial or evaluative).

35. Does a financial management information system (FMIS) exist at the entity-wide level?

2: yes, in operation already;1: in the process of planning and/or development;0: no

Reference category:Info and Communication

Internal financial control may be better or more efficiently conducted if a financial information system is inoperation within an entity (INTOSAI, 2004, p. 37). This indicator captures whether a MFIS is in use. If notcurrently in use, a MFIS may be in the stages of development which indicate a formal information system forfinancial matters will soon to be utilised.

36. > Is the FMIS responsive to changes in the business environment?

2: the FMIS is responsive whenever there is a change in the business environment;1: the FMIS is sometimes responsive to changes in the business environment;

0: the FMIS does not take into consideration changes in the business environment

Reference category: Info and CommunicationThe more responsive the MFIS is to changes in the business environment, the greater the likelihood that theinformation gleaned from its use will be accurate and appropriate, leading to better informed decision making.Responsiveness can imply many things such as, for example, changes in the way financial information isrecorded, who is engaged in the recording, the timeliness of record entry into the system after a transaction,etc. (INTOSAI, 2004, p. 38) This indicator captures the extent of MFIS responsiveness to changes in thebusiness environment with a greater responsiveness implying that the information system is more likely to beutilized to a greater extent in decision making.

37. To what extent does the information system (MIS and/or FMIS) inform strategic decisions?

4: always;3: often;2: occasionally;1: rarely;0: never

Reference category: Info and CommunicationThis indicator captures to what extent the information system is used to inform strategic decision making.

The information system may include relevant information to lead to better informed decision making and themore it is used, the more appropriate the strategic decisions chosen may be to the current state of the entity.The responses capture how often the information system is used by strategic decision makers.

38. How long is the average time taken between a financial transaction occuring and it being recorded in the

82


84/110

information system?

4: whenever there is a financial transaction, it is immediately recorded and updated in the information system;3: maximum a day;2: less than a week;1: more than a week;0: f inancial transactions are rarely recorded

Reference category: Info and CommunicationThe shorter the delay between a financial transaction occurring and its appearance in the information system,the more accurate and up to date the information system will be. A more accurate and up to date informationsystem is an indicator of the extent of information system utilization as the more the system is relied upon toinform the entity the more critical its timeliness and accuracy will be. The responses capture the range of howpromptly financial information may be recorded in the system (INTOSAI, 2004, p. 37).

39. Is the role of information systems clearly communicated to management and staff?

3: the role of information systems is communicated at regular intervals to all staff;2: the role of information systems is communicated at irregular intervals or on a case-by-case basis;1: staff are made aware of the role of information systems when they newly join;0: there is no formalised procedure to inform staff of the role of information systems

Reference category: Info and CommunicationIf the role and importance of information systems is clearly communicated to staff, there is a greaterlikelihood that the staff will update the systems regularly and use the systems to inform their activities. Thisindicator captures the regularity at which staff are given instruction regarding the role of information systems(INTOSAI, 2004, p. 38).

40. How accessible are internal records (financial and non-financial)?

2: Very easily accessible: all in one system accessible to all;1: accessible but time consuming and/or spread across different systems;0: hardly accessible: information spread across systems that may require specialist to access

Reference category: Info and CommunicationInformation can be difficult to access by general staff as the overall information system may be such that

information is spread across many separate systems. This requires greater effort by staff to gather andcompare relevant data. Moreover, the system may require a specialist to access and thus staff use of thesystem may be minimal. The ease of use of the information system impacts how often and to what extent thesystem is utilised by staff (and perhaps top-management) to inform decision making (INTOSAI, 2004, p. 38).This indicator captures the range of how accessible information systems are to individuals in the entity.

07. Standardisation of communication between management and staff

41. Are objectives effectively communicated to employees?

3: Various channels are regularly used to explain and update on the objectives to all staff in all levels;2: Staff are made aware of the objectives in irregular intervals or on an ad-hoc basis;1: Staff are made aware of the objectives when they newly join;0: There is no formalised procedure to inform staff of the objectives

83


85/110

Reference category: Risk AssessmentA key aspect of communication between management and staff is the effect ive communication of objectives.This indicator measures whether objectives are clearly communicated in relation to the standardisation ofcommunication. Therefore, the most standardised means that objectives are communicated to staff regularlyand through a variety of defined channels.

42. Are there formal communication channels between management and staff?

2: Yes, there is more than one formal communication channel (such as regular meetings, MIS, email, etc. -please specify);1: Yes, there is one formal communication channel (please specify);0: No, there are no formal communication channels, all communication occurs on a case by case basis

Reference category: Info and CommunicationOne of the most critical communications channels is that between management and its staff (INTOSAI, 2004,p. 39). This indicator looks at whether there are formal communication channels in place that facilitate

communication between management and staff. The goal of this indicator is to measure the extent to whichthis communication is formalised through the number of channels.

43. > If yes, how regularly are formal communication channels between management and staff used?

2: on a regular, re-occuring basis at least once a week;1: on a semi-regular basis;0: very irregularly or there are no formal communication channels used

Reference category: Info and CommunicationIn addition to the number of channels used for communication between management and staff, a secondaspect of standardisation refers to the frequency. Therefore, this indicator measures how regularly theseformal communication channels are used, where a set schedule with frequent occurrence receives a higherscore.

44. Are there opportunities for employees to provide feedback to management on whether internal controls areeffective?

2: Yes there is more than one formal communication channel reserved to provide feedback to management(such as through regular feedback meetings, MIS feedback surveys, etc.);1: Yes, there is one formal communication channel for feedback;0: No, there are no formal communication channels, all communication regarding feedback occurs on an ad-hocbasis and/or occurs informally

Reference category: Monitoring"Effective communication should occur in all directions, flowing down, across and up the organisation,throughout all components and the entire structure. [!] Management must be kept up to date onperformance, developments, risks and the functioning of internal control, and other relevant events andissues" (INTOSAI, 2004, p. 38-39). This indicator looks at whether staff have the opportunity to provide thisfeedback through defined formalised channels.

07. Standardisation and extent of communication

84


86/110

45. How often are external stakeholders engaged in an exchange of information?

4: systemically (very regularly on a set schedule)3: occasionally (regularly, but on a case-by-case basis);2: rarely (very infrequent);1: never, but planned in the next year;0: never

Reference category: Info and CommunicationThe involvement of external stakeholders is critical to the functioning of internal control. In particular, externalstakeholders may make it easier for the entity to identify risks in a more timely and comprehensive way(COSO, 1994; ISO, 2009). This indicator aims to capture the extent to which communication is embedded inthe internal control activities.

08. Rigour of risk assessment

46. At what level(s) are risks assessed?

2: at all levels within the entity;1: some levels;0: not assessed at any level

Reference category: Risk AssessmentRisks can occur at any level within an entity. In order to assess risks in a more rigorous manner, they need tobe assessed at all levels. 'All levels' refers to the ministerial level (top-management), departments within theministry, as well as units within departments (INTOSAI, 2004, p. 23).

47. At what level(s) are risks defined?

2: At all levels within the entity;1: some levels;0: not defined at any level

Reference category: Risk AssessmentAs well as being multi-dimensional, risks may present themselves in different ways depending on what level

within an entity they occur. That is to say a financial risk has different implications for management than for asmall operational unit. Therefore, a risk assessment is more rigorous if risks are defined at all levels. 'Alllevels' refers to the ministerial level (top-management), departments within the ministry, as well as units withindepartments.

48. How many types of risks do you define?

2: A variety of dimensions are taken into account (such as financial, operational, political, reputational risk,human and cultural factors; please specify);1: Risk is defined in only one dimension (please specify);

0: No definition of risk is provided

Reference category: Risk AssessmentRisk is typically a multi-dimensional issue that encompasses financial risk, reputational risk, political risk andothers. A risk assessment is more rigorous if it takes into account several risk dimensions and defines these

85


87/110

clearly.

49. How formal are the procedures for risk assessment?

2: very formal (defined in a policy);1: somewhat formal (routinely completed following the same procedures);0: not formal, procedures on a case by case basis

Reference category: Risk AssessmentA more formal procedure for risk assessment implies a more rigourous risk assessment.

50. How often is a risk assessment on a strategy level undertaken by top management?

4: systemically (very regularly on a set schedule);

3: occasionally (regularly, but on an ad hoc basis);2: rarely (very infrequent);1: never, but planned in the next year;0: never

Reference category: Risk AssessmentTop management is responsible for strategy and therefore they should subject their strategic planning to riskassessment. In doing so, the policy objectives defined will more likely be achieved. A systematicassessment of risks ensures that emerging risks can be identified swiftly. If top management is involved inrisk assessments at a greater frequency, this translates into a more rigorous risk assessment in general.

51. How often is a risk assessment on an activity level undertaken?

4: systemically (very regularly on a set schedule);3: occasionally (regularly, but on an ad hoc basis);2: rarely (very infrequent);1: never, but planned in the next year;0: never

Reference category: Risk AssessmentThis indicator captures the frequency of risk assessment in the same way the indicator above does. However,this indicator looks at activity level risk assessments.

52. Who performs risk assessment?

(open question)

Reference category: Risk AssessmentThis is an open question that seeks to capture which body within the entity performs risk assessments.

53. Are individuals external to a specific unit involved in risk assessment?

2: Yes, always,1: Yes, sometimes,0: No

86


88/110

Reference category: Risk AssessmentHaving an external body involved in risk assessment ensures objectivity and independence from the specificunit that undertakes its risk assessment. Processes that may seem natural or negligible but potentially poserisks can easier be detected from the outside. This ensures that a risk assessment is carried out with agreater scope, thereby making the risk assessment more rigorous (INTOSAI, 2004, p. 43).

54. Does risk assessment address the limitations of data or modelling used as input to the risk assessmentprocess itself?

2: Yes, always;1: yes, sometimes (please specify in which cases);0: no


An important aspect of the risk assessment is the methodology of the assessment itself. It is crucial to askhow the modelling of risk was done and where its limitations lie as well as the limitations of data used. Riskscan only be identified if the methodology allows it to be identified and therefore if modelling or data is poor,certain risks may not be perceivable (ISO, 2009, p. 7). For a more rigorous risk assessment, these modellingand data limitations have to be addressed. In this question, we seek to capture whether these factors aregenerally taken into consideration in risk assessments. If, for instance, only capital projects or a subset ofrisk assessments address these limitations, please specify.

55. Is anyone responsible for the development and revision of the framework/procedures for risk assessment?

2: there is an official position whose role includes this taks;1: this responsibility is assigned on a case-by-case basis;0: there is no assigned responsibility for this

Reference category: Risk AssessmentA clear responsibility to develop, implement and maintain the framework as well as procedures for riskassessment ensures that the risk assessments are up-to-date and in line with the business processes. Riskassessment is more rigorous with an individual responsible for these tasks (ISO, 2009, p. 11)

56. Are there processes for consultation with internal stakeholders?

2: yes, formal (defined in a policy or document);1: yes, informal;0: no

Reference category: Risk AssessmentUnits within an entity typically operate in a way such that there are a number of entity-internal but unit-externalstakeholders integrated in the business process. By consulting with these stakeholders, a risk assessmentcan take into account further points of view, making the risk assessment more rigorous (ISO, 2009, pp. 22-23).

57. Is there a procedure to quantify the magnitude of a risk?

2: yes, formal;

87


89/110

1: yes, informal;0: no

Reference category: Risk AssessmentIf the magnitude of risk is quantified it will provide a measurable estimate with regards to the effects a riskmight have (ISO, 2009, p. 6). A well-defined, formal, procedure means quantifying the magnitude of risk can

be carried out easily and the risk assessment itself will be more comprehensive and rigorous. An informalprocedure may also exist, for instance a common practice that has not been formally been recorded in adocument or through a policy.

58. In general, do risk assessments consider timeframes (assessing short and long term risks)?

2: yes both short and long term risks;1: yes, only one (please specify whether short OR long term risks);0: no

Reference category: Risk AssessmentIf a risk assessment makes clear associations of a risk to a timeframe and distinguishes between short andlong term risks (which pose different threats to business processes and should be thusly handled differently)the risk assessment is more rigorous (ISO, 2009, p. 17).

59. Does the risk assessment include sensitivity analysis?

2: yes, for all projects;1: yes, for some projects;

0: no

Reference category: Risk AssessmentSensitivity analysis allows one to see how the conclusions of risk assessments may change as theassumptions used in a model vary. As an aid in decision making, sensitivity analysis can also aid inidentifying the most sensitive or important decision variables (EDRC, 1999; Frey and Patil, 2001). Therefore,being an integral part of risk assessment, a more rigorous risk assessment includes one or more methods ofsensitivity analysis.

60. Does risk assessment include the assessment of risk treatment options (transfer, tolerate, terminate, treat)?

2: yes, all risk treatment options are assessed;1: yes, but only some risk treatment options are assessed;0: risk assessment does not include an assessment of risk treatment options

Reference category: Risk AssessmentHow the organisation responds to identified risks can bear risks in itself. In other words risk treatment mightpose new risks. In order for a rigorous risk assessment to be carried out, these risk treatment options shouldbe assessed to fully understand the breadth and depth of potential risks (INTOSAI, 2004, pp. 22, 26).

61. Is complimentary research undertaken on the industry/sector in which the entity operates?

2: yes, very thorough research is conducted;1: yes, some research is conducted;

88


90/110

0: typically there is no research conducted

Reference category: Control ActivitiesComplimentary research helps to understand how organisations in the same or a comparable industry/sectoroperate. For instance, there may be common risks identified in a certain sector that can complement theentity's risk assessment and make it more rigorous.

09. Appropriateness of responses to risk (Adaptability of risk assessment)

62. How often is the risk assessment procedure changed to reflect changes in the business environment?

2: regularly (once every two years);1: sometimes (less than once every two years);0: infrequently (less than once every five years)

Reference category: Risk AssessmentRisk assessment is an ongoing process and is subject to changes in the environment. Changes in theexternal and internal context may induce changes in risk criteria and suggest alterations in the procedures forrisk assessment. Management needs to ensure that their control system continues to be relevant and able toaddress new risks (COSO, 1994, p. 69). The more adaptive risk assessment procedures are to changes inboth external and internal changes, the more appropriate responses to risks are.

63. Are the results from monitoring and review procedures used to improve risk assessment?

2: yes, information gatherered from monitoring and review is used to improve risk assessment1: yes, information gathered is made available to those conducting risk assessment (but not necessarily usedfor improvement)0: no the information gathered from monitoring and review is not used to inform improvements of riskassessment

Reference category: Risk AssessmentMonitoring and review "ensure that internal control continues to operate effectively" (COSO, 1994, p. 69).Therefore the purpose of ongoing monitoring and periodic review is to provide management with evaluativeinformation, where they can check internal control procedures and where necessary improve and amendthem. Information gathered from monitoring and review can also be used to indicate problems and to signal

where improvements in risk assessment may be necessary (ISO, 2009, p. 20). If information is used thisway, it increases the adaptability of risk assessment, which in turn brings about a more effective and timelyidentification of risks.

64. Are there monitoring procedures designed to identify new emerging risks?

2: yes, there are formal procedures;1: yes, there are ad hoc procedures;0: no procedures are used at all

Reference category: Risk AssessmentAmong the purposes of monitoring and review is to identify new risks which emerge in the period betweenformal risk assessment procedures. If such monitoring procedures exist, risk assessment will be moreappropriate and adaptable (ISO, 2009, p. 20). Consequently, formal monitoring and review procedures toidentify new emerging risks are more likely to lead to an effective and timely risk assessment than ad hoc or

89


91/110

no procedures. Moreover, responses to risk will be more appropriate.

09. Appropriateness of responses to risk (Congruence of control activities and risks)

65. How closely are control activities linked to risks identified in the entity?

2: control activities are developed based on risks identified in a risk assessment;1: the development of control activities takes into account identified risks but is not entirely based on a riskassessment;0: control activities and identification of risk are not linked

Reference category: Control ActivitiesControl activities that are put in place must be aligned with actual risks if such risks are to be mitigated(COSO, 1994, p. 51). Integration of control activities with risk assessment process therefore allows for moreapprorpriate and timely responses to risks. In other words, the more control activities are shaped according to

identified risks, the more proper and timely actions there are to address risks to achievement of objectives.

09. Appropriateness of responses to risk (Systematic responses to risks)

66. Are there procedures for responses to risks?

2: yes, there are formal procedures defined (transfer, tolerate, treat, terminate);1: yes, but they are created case-by-case or as needed;

0: no

Reference category: Risk AssessmentOnce risks are identified and anlaysed, the next step is to determine how to manage the risks. Systematicresponses to risks involve risk transfer, tolerate, treat and terminate (INTOSAI, 2004, p. 26). This indicatorcaptures the extent to which procedures for responses to risks are formal and thus more systematic. Therationale is that more formal and systematic procedures for responses to risks will lead to more appropriateresponses to risk.

67. > If so, are these procedures defined internally by the entity or by an external body?

A: entirely defined by external body; B: partly defined externally, partly defined internally; C: entirely definedinternally; (Please specify)

Reference category: Risk AssessmentThis question gathers additional information regarding who defines formal procedures for responses to risk.

68. Is there an escalation process to deal with significant risks?

2: yes, there is a formal escalation process;1: yes, there is an informally defined escalation process;0: no escalation process exists


90


92/110

Proper reporting and escalation processes can enhance accountability in managing risks (ISO, 2009, p. 11). Ifan entity has an escalation process to deal with significant risks, this is a type of systematic response torisks. The more formal the escalation process is, the more systematic and hence the more appropriateresponses to risk are. Significant risks will be dealt with at the appropriate level in a timely manner and staffwill be more easily held accountable for addressing significant risks. Formal escalation processes providedocuments to which staff can refer, whereas informally defined escalation processes may become moredifficult to access and refer to over time.

69. Does the risk assessment define the level at which risk becomes acceptable or tolerable?

1: yes, there is a defined numerical threshold;1: yes, professional judgement is used to determine if a risk is acceptable;0: no

Reference category: Risk AssessmentOne way to evaluate the significance of risk is to set the risk criteria and define the level at which risk

becomes acceptable or tolerable (ISO, 2009, p. 17). Whether the level is clearly defined numerical thresholdor a matter of professional judgment, having such a threshold allows for a systematic response to risk and inturn risks will be dealt with in an appropriate manner.

70. Does the risk assessment explicitly recommend to top management which risks need a response and thepriority for the implementation of responses?

2: yes, the risk assessment document contains explicit recommendation to management as to which risksrequire a response and the priority for response implementation;1: yes, the risk assessment document contains explicit recommendation to management as to which risksrequire a response, but not the priority for response implementation;0: no, the risk assessment does not explicitly provide such recommendations to top management

Reference category: Risk AssessmentAfter the risk assessment, an entity determines which risks need a response and the priority for theimplementation of responses. While the risk assessment will likely always provide useful information aboutrisks and indicate where responses may be necessary, it may or may not explictly make recommendations totop management on these matters. If the risk assessment document includes recommendations on whichrisks require responses and the priority for the implementation this is likely to improve risk responses andmake then more appropriate.

71. Is there a procedure to address residual risks? (those remaining after initial risk treatment)

2: yes, those conducting risk assessment provide further recommendations for the treatment of residual risk;1: yes, the residual risk is communicated to the unit manager and it is the responsibility of the unit manager torespond;0: no, there is no procedure to address residual risk

Reference category: Risk AssessmentOnce the significance and likelihood of risk have been assessed, management needs to consider how the risk

should be managed (COSO, 1994, p. 42). The complete elimination of threats is virtually impossible; hence,the risk assessment is likely to be more appropriate if it holistically evaluates the impact of the risk response,and specifically the effect of the threats that are still in place after the responses.

72. Does risk assessment include a way to decide whether residual risk levels are tolerable?

91


93/110

1: yes, there is a defined numerical threshold;1: yes, professional judgement is used to determine if risk is acceptable;0: no

Reference category: Risk AssessmentEven after risk treatment, it is likely that some level of residual risk will always exist (COSO, 1994, p. 43).Decision makers will have to decide whether residual risk levels are tolerable, and if not tolerable, they willgenerate a new risk treatment plan and assess the effectiveness of that treatment (ISO, 2009, p. 19). Anentity is more likely to have appropriate systematic responses to risks if they have either a defined numericalthreshold of tolerable risk or professional judgment of acceptable risk. Likewise, an entity whose riskassessment does not define the level of tolerable residual risk is less likely to have appropriate systematicresponses to risks.

73. Are plans for responses informed by lessons learned from past implementations of similar responses?

2: yes, there is a consistent and explicit account of past experiences when a plan is drafted;1: yes, past experiences are considered but not in a consistent and formalised way;0: no

Reference category: Risk AssessmentThis indicator relies on the idea of learning organisations (see Easterby-Smith et al, 1999). The effective useof information collected during previous attempts to deal with risks is essential to better design the risktreatment. Moreover, it helps reduce the scope of unforeseen residual risks. In sum, the design of treatmentplans is more likely to be appropriate when it effectively accounts for past experiences.

74. How often is cost benefit analysis used as an element of assessing risk response?

Proportion of risk treatments that are subject to cost-benefit analyses (for example, 90%)

Reference category: Risk AssessmentSelecting the most appropriate risk response option involves balancing the costs and efforts ofimplementation against the benefits derived (ISO, 2009, p. 19; INTOSAI, 2004, p. 8). In other words, it issensible to implement a risk treatment only if the payoff offsets the costs. Thus, the response to risk is likelyto be more appropriate if it is analysed in terms of costs and benefit. Consequently, the score for thisindicator is a proportion of the risk treatments that are subject to cost-benefit analyses.

75. Is there a formal procedure to manage the risks caused by unforeseen events (crisis management)?

2: yes, there are formal procedures;1: yes, there are procedures on a case-by-case basis;0: there are no formal procedures

Reference category: Control ActivitiesIt is unfeasible for an entity to predict every possible risk. Therefore, sometimes the entity has to deal with

unforeseen threats. In this case, the entity should put in place procedures to cope with these new risks assoon as unforeseen events occur and are identified as threatening (COSO, 1994). The response is moreappropriate if it follows a pre-existing procedure, rather than trying to decide how to deal with the problem byear, while the crisis has already occurred.

92


94/110

76. Are risk response plans written down? (ie. a document on how the chosen treatment options will beimplemented)

Yes/No

Reference category: Control Activities

If a risk response plan is written down, responses will be more systematic and in turn, it is more likely thatresponses to risk are more appripriate.

77. Is there a procedure for risk reporting?

2: yes, there is a formal reporting procedure;1: yes, but it is defined case by case;0: no risk reporting procedure exists

Reference category: Risk AssessmentResponses to risk rely on the accessibility of relevant information on the nature of the threats. Organizationsare complex environments, linking complex networks of stakeholders (Rowley, 1997). Thus, it is possible thata subset of stakeholders is more capable to recognize a threat. Hence, it is critical to design a procedure thatallows this information to flow and to reach the decision makers in a timely and proper manner. This indicatoraims to measure this phenomenon.

10. Responsiveness to internal control deficiencies

78. Are procedures or protocols in place to determine which internal control deficiencies are significant and

should therefore be reported to top management?

2: yes, there are formal protocols;1: yes, there are informal procedures to determine which IC deficiencies are significant, using for exampleprofessional judgement;0: There are no protocols in place to determine the significance

Reference category: MonitoringThere may be a range of internal control deficiencies, however not all such deficiencies may be significant inmagnitude and warrant corrective action. Protocols may be used to separate the significant findings from

those of lesser importance (COSO, 1994, p. 76). If only those of significant magnitude are reported to topmanagement, this allows top management to better focus its attention on and address the most pressingissues, making the entity more responsive to such issues. Moreover, protocols will allow for audit findings tobe dealt with in a uniform manner, removing the scope for potential errors in judgment regarding which findingsshould be reported to top management.

79. Are procedures or protocols in place to communicate problems identified with internal control to theappropriate decision making bodies with the authority to take corrective action?

2: yes, there are formal protocols;

1: yes, there are informal procedures to communicate IC problems;0: There are no procedures in place to communicate internal control problems

Reference category: MonitoringIn order to take corrective action, addressing identified internal control deficiencies, the existence of such

93


95/110

deficiencies must be reported to the appropriate individuals. Specifically, deficiencies should be reported tothose with the authority to make decisions regarding what corrective action to take and ability to enforce suchdecisions. This indicator captures whether there are specific protocols in place that ensure the appropriateindividuals are informed of internal control deficiencies identified through either internal or external audit(COSO, 1994, p.76; INTOSAI, 2004, p. 42).

80. How often are internal control problems reported to those who have authority to take corrective action?


Reference category: MonitoringIn order to take corrective action addressing identified internal control deficiencies, the existence of suchdeficiencies must be reported to the appropriate individuals. Specifically, deficiencies should be reported to

those with the authority to make decisions regarding what corrective action to take and ability to enforce suchdecisions (COSO, 1994, p. 75; INTOSAI, 2004, p. 42). This indicator captures whether the appropriateindividuals are informed of internal control deficiencies identified through either internal or external audit.

81. How often are problems reported to those one level up so that there is assurance that the corrective actionis taken?


Reference category: MonitoringEven if internal control deficiencies identified through internal or external audit are reported to individuals withthe authority to take corrective action, in addition it may also be necessary to report the deficiency to thoseone level above. This ensures that decisions regarding corrective action are appropriate and such decisionsare followed through with action (COSO, 1994, p. 75; INTOSAI, 2004, p. 42). This indicator captures whetherdeficiencies are reported to those one level above to ensure an effective response.

82. Are there procedures for follow-up and monitoring of the effectiveness of corrective action?

3: very formal (defined in a policy)2: somewhat formal (routinely addressed following the same procedures)1: case-by-case procedures;0: No procedure for follow-up are in place

Reference category: MonitoringA corrective action taken to address an internal control deficiency may not always be effective in reducingrisk. Thus, it may be necessary to follow up and monitor whether corrective actions are having the intendedeffect of risk mitigation (INTOSAI, 2004, p. 42). This indicator captures whether there are procedures in place

for such monitoring and the level of formality that these procedures take. If formal procedures exist thisindicates that the entity is more responsive to internal control deficiencies, as irregular or case-by-caseapproaches allow for inconsistencies.

83. Are there procedures to evaluate the appropriateness of internal audit reporting lines and follow-up

94


96/110

procedures?

3: very formal (defined in a policy);2: somewhat formal (routinely addressed following the same procedures);1: case-by-case procedures;0: no procedure

Reference category: MonitoringThe reporting procedures for internal audit findings as well as procedures for follow-up to corrective actionshould be appropriate. This means audit findings should not be shared with too many individuals or, to thecontrary, too few, which may risk whether corrective action is taken at all. Moreover, follow up procedures tomonitor the implementation and effectiveness of corrective action should not be overly rigorous expending un-necessary resources or, in contrast, too lax and informal. Thus, an appropriate balance needs to be achievedand continuous evaluations of reporting and follow up procedures may be necessary to maintain suchbalance. This indicator captures whether evaluative procedures exist and the level of formality they take(COSO, 1994, pp. 74-76).

84. Is the entity's top management held responsible for ensuring that there is a follow-up to internal controldeficiencies as identified by internal audit?

Yes (please specify how) / No

Reference category: Ministry/DepartmentIf the top management of the entity is held responsible for ensuring that follow-ups are carried out in terms ofinternal control deficiencies, it is more likely that the entity will be in compliance. Any irregularities foundthrough internal audit will more likely be acted upon and in a timely manner.

11. Procedural integrity of internal audit

85. Are there clear objectives defined for internal control activities?

3: each internal control activity has a clearly defined objective;2: only major control activities have clearly defined objectives;1: objectives are defined for internal control activities on a case-by-case basis;0: control activities typically do not have defined objectives

Reference category: MonitoringAs part of an internal audit, the effectiveness of internal control activ ities can only be evaluated if there areclear objectives outlined for such activities. Control activities are evaluated in relation to their effectiveness inmeeting such objectives (INTOSAI, 2004, p. 41). This indicator captures the extent to which there are clearobjectives for control activities which in turn allow for a more rigorous and procedurally sound audit.

86. Does the internal audit body report to top management?

2: yes, only to top management;

1: yes, to top management and others (e.g. unit managers, please specify);0: no, the internal audit body does not report to top management

Reference category: MonitoringThat an internal audit body only reports to top management is a key component contributing to the

95


97/110

independence of the audit body. Independence is thought to lead to a more rigorous and transparent internalaudit function (INTOSAI, 2004, p. 20). This indicator capture whether the internal audit body reports to topmanagement or others.

87. Is the internal audit body composed of individuals external to the entity?

2: yes, at least 50% (the other part being individuals internal to the entity);1: yes, a minority of the internal audit body are individuals external to the entity;0: no, entirely composed of individuals internal to the entity

Reference category: MonitoringIf an internal audit body contains individuals external to the entity being audited this may contribute to theindependence and objectivity of the assessment. Independence is thought to lead to a more rigorous andtransparent internal audit function (INTOSAI, 2004, p. 45). This indicator captures the extent to which theinternal audit body is composed of individuals external to the entity in which the audit is being conducted.

88. Is the internal audit body composed of qualified auditors and accountants?

3: yes, all of the internal audit body is composed of qualified auditors and accountants;2: yes, the majority are qualified auditors and accountants;1: yes, a minority are qualified auditors and accountats;0: no, there are no qualified auditors and accountants

Reference category: MonitoringAn audit conducted by individuals with professional training in accounting and or auditing may be more

compliant to protocol, rigorous, and thorough in identifying deficiencies in internal control. This indicatorcaptures the extent to which the internal audit body is composed of qualified individuals.

89. Is there a document outlining the following? the purpose of internal audit, responsibilities of thoseinvolved in internal audit, and a definition of a clear procedure for how internal audits should be conducted

3: yes, document in place and reviewed once or more a year;2: yes, document in place and reviewed less than once a year;1: document in place but no review;

0: no

Reference category: MonitoringIf there is a document outlining the purpose of internal audit, responsibilities of those involved in internal auditand defining a clear procedure for how internal audits should be conducted, this allows for clarity within theentity regarding internal audit and may improve the audit function. Audits are more likely to be conducted in auniform manner comparable across time. This indicator captures whether such a document exists and howoften it is reviewed (studied and/or changed) by those involved in internal audit.

90. If some of the entity's activities are outsourced, does internal audit evaluate the effectiveness of the internalcontrol activities of the outside organisation?

2: yes, for all outsourced activities;1: yes, for a subset of outsourced activities;0: no, internal audit does not evaluate internal control activities of outside entities; N/A: no activities areoutsourced

96


98/110

Reference category: MonitoringOutsourcing may pose a risk to achieving an entity-wide or unit objective if the entity conducting theoutsourced activity does not have its own effective internal controls in place. Thus, the internal audit of anentity may expand its scope to include monitoring the control activities of the external entity conducting theoutsourced activity. In doing so, this allows for a more comprehensive audit assessment and deficiencies in

the internal control of the external organisation (which may pose risks to the entity) may be identified. Thisindicator captures whether and to what extent the internal audit does include an assessment of the externalentity where outsourcing exists.

91. Is reporting of sensitive problems (such as illegal or improper acts) handled by!

2: formal protocols universally applied;1: case by case, but general guidelines in place;0: case by case only, no guidelines exist

Reference category: MonitoringFindings of illegal or improper conduct may need to be handled in a specific manner following protocolsdifferent from those used to handle other findings of an internal audit (INTOSAI, 2004, p. 42). The presence ofsuch protocols allows for transparency and removes any conflict of interest issues in the handling of illegalconduct. This indicator captures whether such protocols exist.

12. Rigour of internal audit

92. How often are internal audit assessments done?

4: systemically (very regularly on a set schedule)3: occasionally (regularly, but on a case-by-case basis);2: rarely (very infrequent);1: never, but planned in the next year;0: never

Reference category: MonitoringThis indicator captures how often internal audit assessments are completed and if they are completed on aplanned schedule (COSO, 1994, p. 71). The implication is that the more often and systematically internalaudits are conducted the more rigorous the internal audit function.

93. In addition to the frequency stated in the question above, are internal audits performed more often in unitswhere discrepancies have been identified?

Yes/No

Reference category: MonitoringThe internal audit function will be more rigorous and contribute to effective internal control if audits areconducted more often on units where internal control deficiencies have been identified and thus, pose a higherrisk. Close monitoring may assist in ensuring that the deficiencies are addressed. Such monitoring could

include an assessment of the level of risks, the competency of those involved in implementing controls, andthe effectiveness of ongoing monitoring of internal control (COSO, 1994, p. 71).

94. Does the scope of internal audits vary?

97


99/110

Yes/No

Reference category: MonitoringWhether or not the scope of internal audits varies does not necessarily have an effect on the rigour of internalaudit. However, if the scope does vary it is important to measure how it varies, which is captured in the nextindicator.

95. > If so, are controls that address higher priority risks evaluated more often?

Yes/No

Reference category: MonitoringThis indicator captures how internal audits vary in relation to the rigour of internal audit. Based on the indicatorabove, it is established that the scope of internal audits does vary. In order to have a more rigorous internalaudit, the internal audit needs to evaluate those controls more often that address higher priority risks.

96. Is there extensive documentation of the current internal control activities in place?

2: fully documented;1: partly documented;0: not documented

Reference category: MonitoringWith full, extensive documentation, auditors will have full knowledge of controls and are able to conduct athorough and accurate evaluation (INTOSAI, 2004, p. 38). Documenting controls will allow for more efficient

internal audit evaluations (COSO, 1994, p. 73). Therefore, full documentation results in a more rigorousinternal audit.

97. Is there any procedure to evaluate the effectiveness of internal audit?

2: yes, there is a procedure to evaluate the effectiveness of internal audit and it looks at the logic andappropriateness of evaluation;1: yes there is a procedure to evaluate the effectiveness of internal audit and it looks at (only) how closely theIA procedures match that of international standards;0: no procedure

Reference category: MonitoringWhile internal audit is important in that it evaluates internal control, a rigorous internal audit also means thatthe internal audit function itself is logical and appropriate. This needs to be established through evaluations ofthe internal audit function. If there is a procedure that evaluates the effectiveness of internal audit, thisindicator receives a higher score in the dimension of rigour of internal audit. Internal audit in the public sectoris commonly based on international standards and evaluations may look at the compliance of internal auditwith these standards. A close alignment does not, however, necessarily mean that the internal audit functionis appropriate and contextualised enough, as an entity may have specialised controls.

13. Involvement of SAI in IC

98. Does the supreme audit institution evaluate the effectiveness of internal control or effectiveness of internalaudit or both?

98


100/110


101/110


102/110

1: Yes, only in case of irregularities;1: Yes, sometimes (specify why);0: No

Reference categ

Documents

OECD - Public Internal Financial Control Report